Unified Threat Management

Advanced Firewall – Administrator’s Guide

Smoothwall® Advanced Firewall, Administrator’s Guide, December 2013
Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other
guides delivered with earlier versions of Advanced Firewall.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of Smoothwall.
For more information, contact: docs@smoothwall.net
© 2001 – 2013 Smoothwall Ltd. All rights reserved.
Trademark notice
Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd.
Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC.
DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95,
Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered
trademark of Netscape Communications Corporation in the United States and other countries. Apple and
Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation.
Core is a trademark of Intel Corporation.
All other products, services, companies, events and publications mentioned in this document, associated
documents and in Smoothwall software may be trademarks, registered trademarks or service marks of
their respective owners in the UK, US and/or other countries.
Acknowledgements
Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team:
Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley,
Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan
Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S.
Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves
Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul
Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez
Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc
Wormgoor.
Advanced Firewall contains graphics taken from the Open Icon Library project http://
openiconlibrary.sourceforge.net/
Address

Smoothwall Limited
1 John Charles Way
Leeds. LS12 6QA
United Kingdom

Email

info@smoothwall.net

Web

www.smoothwall.net

Telephone

USA and Canada:
United Kingdom:
All other countries:

1 800 959 3760
0870 1 999 500
+44 870 1 999 500

Fax

USA and Canada:
United Kingdom:
All other countries:

1 888 899 9164
0870 1 991 399
+44 870 1 991 399

Contents
Chapter 1

Introduction .................................................... 1
Overview of Advanced Firewall ....................................................... 1
Who should read this guide? ........................................................... 1
Other User Information..................................................................... 1
Annual Renewal................................................................................. 2

Chapter 2

Advanced Firewall Overview......................... 3
Accessing Advanced Firewall .......................................................... 3
Dashboard ......................................................................................... 4
Logs and reports ............................................................................... 5
Reports............................................................................................... 5
Alerts .................................................................................................. 5
Realtime ............................................................................................. 5
Logs.................................................................................................... 6
Settings .............................................................................................. 6
Networking ........................................................................................ 7
Filtering .............................................................................................. 7
Routing............................................................................................... 7
Interfaces ........................................................................................... 7
Firewall............................................................................................... 8
Outgoing ............................................................................................ 8
Settings .............................................................................................. 8
Services.............................................................................................. 9
Authentication ................................................................................... 9
User Portal......................................................................................... 9
Proxies .............................................................................................. 9
SNMP................................................................................................ 11
DNS................................................................................................... 11
Message Censor ............................................................................. 11
Intrusion System ............................................................................. 11
DHCP................................................................................................ 12
System ............................................................................................. 13
Maintenance .................................................................................... 13
Central Management ...................................................................... 13
Preferences ..................................................................................... 13
Administration ................................................................................. 14
Hardware ......................................................................................... 14
Diagnostics ...................................................................................... 14
Certificates ...................................................................................... 14
VPN................................................................................................... 15
Configuration Guidelines................................................................ 15
Specifying Networks, Hosts and Ports ......................................... 15
Using Comments............................................................................. 16

i

Contents

Creating, Editing and Removing Rules ......................................... 16
Connecting via the Console ........................................................... 17
Connecting Using a Client ............................................................. 17
Secure Communication .................................................................. 18
Unknown Entity Warning ................................................................ 18
Inconsistent Site Address .............................................................. 18

Chapter 3

Working with Interfaces .............................. 19
Configuring Global Settings for Interfaces ................................... 19
Connecting Using an Internet Connectivity Profile ..................... 20
Connecting Using a Static Ethernet Connectivity Profile ........... 20
Connecting using a DHCP Ethernet Connectivity Profile ........... 22
Connecting using a PPP over Ethernet Connectivity Profile ...... 23
Connecting using a PPTP over Ethernet Connectivity Profile .... 25
Connecting using an ADSL/DSL Modem Connectivity Profile ... 27
Connecting using an ISDN Modem Connectivity Profile............. 28
Connecting Using a Dial-up Modem Connectivity Profile........... 30
Creating a PPP Profile .................................................................... 31
Modifying Profiles ........................................................................... 33
Deleting Profiles .............................................................................. 33
Working with Bridges ..................................................................... 33
Creating Bridges ............................................................................. 33
Editing Bridges ................................................................................ 34
Deleting Bridges.............................................................................. 34
Working with Bonded Interfaces ................................................... 34
Creating Bonds ............................................................................... 34
Editing Bonds .................................................................................. 35
Deleting Bonds ................................................................................ 35
Configuring IP Addresses .............................................................. 35
Adding an IP Address ..................................................................... 35
Editing an IP Address ..................................................................... 35
Deleting an IP Address ................................................................... 36
Virtual LANs ..................................................................................... 36
Creating a VLAN.............................................................................. 36
Editing a VLAN................................................................................. 37
Deleting a VLAN .............................................................................. 37

Chapter 4

Managing Your Network Infrastructure..... 39
Creating Subnets ............................................................................ 39
Editing and Removing Subnet Rules............................................. 40
Using RIP ......................................................................................... 40
Sources ............................................................................................ 42
Creating Source Rules.................................................................... 42
Removing a Rule ............................................................................. 43
Editing a Rule .................................................................................. 43
About IP Address Definitions ......................................................... 43
Ports ................................................................................................. 43
Creating a Ports Rule ..................................................................... 44
Creating an External Alias Rule ..................................................... 45
Editing and Removing External Alias Rules ................................. 45
Port Forwards from External Aliases ............................................ 46

ii

Smoothwall Advanced Firewall
Administrator’s Guide

Creating a Source Mapping Rule .................................................. 46
Editing and Removing Source Mapping Rules............................. 47
Managing Internal Aliases.............................................................. 47
Creating an Internal Alias Rule ...................................................... 47
Editing and Removing Internal Alias Rules................................... 48
Working with Secondary External Interfaces ............................... 48
Configuring a Secondary External Interface ................................ 48

Chapter 5

General Network Security Settings ............ 51
Blocking by IP.................................................................................. 51
Creating IP Blocking Rules ............................................................ 51
Editing and Removing IP Block Rules........................................... 52
Configuring Advanced Networking Features ............................... 52
Working with Port Groups.............................................................. 55
Creating a Port Group .................................................................... 56
Adding Ports to Existing Port Groups ........................................... 56
Editing Port Groups ........................................................................ 57
Deleting a Port Group ..................................................................... 57

Chapter 6

Configuring Inter-Zone Security................. 59
About Zone Bridging Rules ............................................................ 59
Creating a Zone Bridging Rule ...................................................... 59
Editing and Removing Zone Bridge Rules.................................... 61
A Zone Bridging Tutorial ................................................................ 61
Creating the Zone Bridging Rule ................................................... 61
Allowing Access to the Web Server .............................................. 62
Accessing a Database on the Protected Network....................... 62
Group Bridging ................................................................................ 63
Group Bridging and Authentication............................................... 63
Creating Group Bridging Rules...................................................... 63
Editing and Removing Group Bridges........................................... 65

Chapter 7

Managing Inbound and Outbound Traffic.. 67
Introduction to Port Forwards – Inbound Security ...................... 67
Port Forward Rules Criteria ........................................................... 67
Creating Port Forward Rules ......................................................... 68
Load Balancing Port Forwarded Traffic........................................ 69
Editing and Removing Port Forward Rules .................................. 69
Advanced Network and Firewall Settings..................................... 69
Network Application Helpers ......................................................... 70
Managing Bad External Traffic ...................................................... 71
Configuring Reflective Port Forwards .......................................... 71
Managing Connectivity Failback ................................................... 71
Managing Outbound Traffic and Services .................................... 72
Working with Port Rules................................................................. 72
Working with Outbound Access Policies...................................... 76
Managing External Services .......................................................... 78

Chapter 8

Advanced Firewall Services ........................ 81
Working with Portals ...................................................................... 81
Creating a Portal ............................................................................. 81
iii

Contents

Configuring a Portal........................................................................ 83
Accessing Portals ........................................................................... 86
Editing Portals ................................................................................. 86
Deleting Portals............................................................................... 86
Managing the Web Proxy Service.................................................. 87
Configuring and Enabling the Web Proxy Service ....................... 88
About Web Proxy Methods ............................................................ 91
Configuring End-user Browsers .................................................... 92
Instant Messenger Proxying .......................................................... 93
Monitoring SSL-encrypted Chats .................................................. 96
SIP Proxying .................................................................................... 96
Types of SIP Proxy .......................................................................... 96
Choosing the Type of SIP Proxying............................................... 97
Configuring SIP ............................................................................... 97
FTP Proxying ................................................................................... 99
Configuring non-Transparent FTP Proxying ................................ 99
Configuring Transparent FTP Proxying ...................................... 100
Reverse Proxy Service.................................................................. 102
Configuring the Reverse Proxy Service ...................................... 103
SNMP.............................................................................................. 104
DNS................................................................................................. 105
Adding Static DNS Hosts ............................................................. 105
Enabling the DNS Proxy Service.................................................. 106
Managing Dynamic DNS............................................................... 107
Censoring Message Content ....................................................... 109
Configuration Overview................................................................ 109
Managing Custom Categories ..................................................... 109
Setting Time Periods .................................................................... 110
Creating Filters.............................................................................. 111
Creating and Applying Message Censor Policies...................... 113
Editing Polices............................................................................... 114
Deleting Policies ........................................................................... 114
Managing the Intrusion System................................................... 114
About the Default Policies............................................................ 114
Deploying Intrusion Detection Policies....................................... 114
Deploying Intrusion Prevention Policies ..................................... 115
Creating Custom Policies............................................................. 117
Uploading Custom Signatures..................................................... 118
DHCP.............................................................................................. 119
Enabling DHCP.............................................................................. 120
Creating a DHCP Subnet.............................................................. 120
Editing a DHCP subnet ................................................................. 123
Deleting a DHCP subnet............................................................... 123
Adding a Dynamic Range ............................................................. 123
Adding a Static Assignment......................................................... 123
Adding a Static Assignment from the ARP Table ...................... 124
Editing and Removing Assignments ........................................... 124
Viewing DHCP Leases .................................................................. 124
DHCP Relaying .............................................................................. 125
Creating Custom DHCP Options ................................................. 125

iv

Smoothwall Advanced Firewall
Administrator’s Guide

Chapter 9

Virtual Private Networking ........................ 127
Advanced Firewall VPN Features ................................................ 127
What is a VPN? .............................................................................. 127
About VPN Gateways.................................................................... 128
Administrator Responsibilities..................................................... 128
About VPN Authentication............................................................ 128
PSK Authentication....................................................................... 129
X509 Authentication...................................................................... 129
Configuration Overview................................................................ 130
Working with Certificate Authorities and Certificates............... 131
Creating a CA ................................................................................ 131
Exporting the CA Certificate ........................................................ 132
Importing Another CA's Certificate ............................................. 133
Deleting the Local Certificate Authority and its Certificate ...... 133
Deleting an Imported CA Certificate ........................................... 134
Managing Certificates .................................................................. 134
Creating a Certificate ................................................................... 134
Reviewing a Certificate ................................................................ 135
Exporting Certificates................................................................... 135
Exporting in the PKCS#12 Format............................................... 136
Importing a Certificate.................................................................. 136
Deleting a Certificate .................................................................... 137
Setting the Default Local Certificate ........................................... 137
Site-to-Site VPNs – IPSec............................................................. 138
Recommended Settings ............................................................... 138
Creating an IPsec Tunnel ............................................................. 139
IPSec Site to Site and X509 Authentication – Example ............. 144
Prerequisite Overview .................................................................. 144
Creating the Tunnel on the Primary System............................... 144
Creating the Tunnel on the Secondary System.......................... 145
Checking the System is Active .................................................... 147
Activating the IPSec tunnel .......................................................... 147
IPSec Site to Site and PSK Authentication................................. 147
Creating the Tunnel Specification on Primary System.............. 147
Creating the Tunnel Specification on the Secondary System .. 148
Checking the System is Active .................................................... 149
Activating the PSK tunnel............................................................. 149
About Road Warrior VPNs............................................................ 150
Configuration Overview................................................................ 150
IPSec Road Warriors .................................................................... 151
Creating an IPSec Road Warrior ................................................. 151
Supported IPSec Clients .............................................................. 154
Creating L2TP Road Warrior Connections ................................. 154
Creating a Certificate ................................................................... 154
Configuring L2TP and SSL VPN Global Settings........................ 154
Creating an L2TP Tunnel .............................................................. 155
Configuring an iPhone-compatible Tunnel................................. 156
Using NAT-Traversal..................................................................... 157
VPNing Using L2TP Clients .......................................................... 157
L2TP Client Prerequisites............................................................. 157

v

....................................................... 163 Managing Group Access to SSL VPNs ................................ 178 Example 1: Preshared Key Authentication ........................... 173 VPNs between Business Partners ...................................................................... 187 Using the Security Policy Template SoftRemote ........................................... 188 Creating a Connection without the Policy File......................................................................... 178 VPN Tutorials................................................................................................................ 195 Configuring an LDAP Connection .................................................. 175 Automatically Starting the VPN System............................. 193 About Directory Servers ....................................................... 165 Configuring SSL VPN on Internal Networks ................................................................................................ 176 Manually Controlling the VPN System ................. 162 Prerequisites ......................................... 174 Managing VPN Systems .......................................................................... 203 Editing a Directory Server ........................................................................................................................................ 204 Diagnosing Directories .................................... 169 Advanced VPN Configuration ................................................................................................................................................................................................ 199 Configuring an Active Directory Connection – Legacy Method 200 Configuring a Local Users Directory.................... 204 vi ............................................... 163 Managing Custom Client Scripts for SSL VPNs....................................................................... 171 Multiple Local Certificates ........................ 194 Configuring Directories .................. 165 Configuring and Connecting Clients .......... 178 Example 2: X509 Authentication ...................................... 187 Configuring IPSec Road Warriors ... 182 Example 4: IPSec Road Warrior Connection...........................................................................................................Contents Connecting Using Windows XP/2000.................................. 169 Creating an Internal L2TP VPN ..................... 204 Deleting a Directory Server .................................. 162 Configuring VPN with SSL..................................... 173 Extended Site to Site Routing .................................................................................... 164 Generating SSL VPN Archives ................ 193 Configuring Global Authentication Settings .... 176 Viewing and Controlling Tunnels.............................................. 169 Secure Internal Networking ................................................................................. 158 VPNing with SSL.................................................... 157 Installing an L2TP Client.......... 180 Example 3: Two Tunnels and Certificate Authentication ......................................................................................................................... 171 Creating Multiple Local Certificates............... 195 Configuring a Microsoft Active Directory Connection .......................... 162 Managing SSL Road Warriors............. 196 Configuring a RADIUS Connection .............................................................. 186 Working with SafeNet SoftRemote ...................... 183 Example 5: L2TP Road Warrior.............. 172 Configuring Both Ends of a Tunnel as CAs ....................................... 166 VPN Zone Bridging............................................ 189 Advanced Configuration.. 171 Public Key Authentication ................................................................. 177 VPN Logging ....... 191 Chapter 10 Authentication and User Management ...... 203 Reordering Directory Servers .................................................

................ 223 Managing Log Retention ..................... 205 Remapping Groups ................................................................. 216 Adding Groups ....................................................................................................................... 213 Pre-requisites ...... 214 Configuring Access Points........................ 204 Adding Users ..................................................................................................................... 208 Banning Users ............... 220 Canceling a Report .................... 221 Report Permissions ......................................................... 207 Removing Expired Bans .............. 205 Deleting Users ............................................ 206 Deleting Group Mappings ....... 227 vii .................................................................................... 211 Managing Kerberos Keytabs ........................................ 217 Chapter 11 Reporting ..................................................................................................................................................................... 219 Generating Reports......................................................... 209 Customizing the SSL Login Page ................................................................. 222 Making Reports Available on Portals...................................................................................... 211 Creating SSL Login Exceptions ........................................................................................................ 220 Saving Reports ............. 215 Provisioning the Advanced Firewall Certificate ......................................... 220 Changing Report Formats.................................................Smoothwall Advanced Firewall Administrator’s Guide Managing Local Users........................................................................................................................................................... 210 Configuring SSL Login................. 219 Accessing Reporting ........................ 209 Reviewing SSL Login Pages ................................................................................................................................................. 208 About SSL Authentication ............................................................................ 207 Managing User Activity ...................................................................... 204 Editing Local Users............................................................................................................................ 216 About Groups .. 215 Managing Groups of Users .............................................. 216 Editing Groups..................................................................................................................................................... 227 About the Dashboard............................................................................................................................................................ 220 Managing Reports and Folders .......... 206 Removing Temporary Bans............................................................................ 224 Chapter 12 Information.......................... 208 Logging Users Out ................................ 206 Managing Temporarily Banned Users....................................................................................... 212 Adding Keytabs ............. 213 Using WPA Enterprise ...... 208 Viewing User Activity ................................. 214 Configuring WPA Enterprise ......................................................................................................................................... 222 Scheduling Reports ........ 227 About the About Page ..... 220 About Recent and Saved Reports ............................................................. 206 Creating a Temporary Ban ............................................................. 212 Managing Keytabs .................................. Alerts and Logging...................................................................................................................... 219 About the Summary Page ........................... 205 Mapping Groups............................................................................................................................................. 217 Deleting Groups ...................................

............................................................................................ 247 IM Proxy Logs.................. 261 Licenses ............................................. 234 Realtime IPsec Information............................................................. 257 Testing Email to SMS Output..... 227 Overview ................... 233 Realtime System Information ................................................................ 252 Managing Automatic Deletion of Logs .......................................................................... 255 About Email to SMS Output ............................................................................................................ 243 Email Logs ...................................................................... 228 Enabling Alerts .......................................................................................................................................................................................................................................................................................................... 260 Managing Modules ................................................................................................... 262 About Archive Profiles ........................................................................................ 262 Archives .................................................................................................................................................................. 259 Installing Updates . 251 Configuring Log Settings ...................................................................................................................................................................................................................................................................................................... 255 Configuring Output Settings ..................... 227 Available Alerts.................... 235 Realtime Portal Information ................................................. 258 Chapter 13 Managing Your Advanced Firewall....................................................................................................................................... 238 System Logs ............................. 251 Configuring Other Log Settings....... 262 Installing Licenses ........................................................................................................ 255 Deleting a Group .......... 263 Creating an Archive ....................................................................... 229 Looking up an Alert by Its Reference................................................. 261 Removing a Module ............................................... 239 Firewall Logs ..................... 230 Realtime ..................................................................................................................................... 259 Installing Updates ............ 263 Downloading an Archive ............... 233 Realtime Firewall Information......................................................................................................... 253 Configuring Groups .............. 249 User Portal Logs ................. 245 IDS Logs............................................................................. 248 Web Proxy Logs .......................................................................................... 230 Configuring Alert Settings........................................................... 236 Realtime Instant Messaging .................................. 246 IPS Logs ........................................................................................................................................................................................... 259 Installing Updates on a Failover System.. 237 Logs........................ 263 viii ................ 257 Output to Email ....................................................................... 254 Creating Groups....................................................................................... 254 Editing a Group ........................................................ 237 Realtime Traffic Graphs .......................................................................................................................................................................................... 256 About Placeholder Tags ...... 256 Configuring Email to SMS Output ................................................................................... 241 IPSec Logs.......................................... 249 Reverse Proxy Logs .........................Contents Alerts .......................... 257 Generating a Test Alert....

....................................................................................................... 275 Adding a Tenant .................................................................. 290 Deleting and Restoring Certificates ............................................................... 277 Managing Hardware Failover............................. 284 Configuring Modems ............................................... 287 IP Tools ................................................................... 266 Editing Schedules ............................... 293 Adding Child Nodes to the System ............................................................................... 275 Editing a Tenant ............................................................................................................................................................................. 286 Generating Diagnostics ................................................................................................................. 288 Analyzing Network Traffic ......................................................................................................................................................................................... 273 Editing and Removing External Access Rules .......................... 271 Configuring Administration and Access Settings ...... 290 Importing CA Certificates........................................................................................................................................................................................................................................................ 269 Configuring Registration Options...................................................... 267 Shutting down and Rebooting ................................................................................................................................................................................................................... 284 Installing and Uploading Firmware........................................ 291 Pre-requirements ................................................................................................... 268 Setting Time...... 289 Managing CA Certificates .............................................. 268 Configuring the User Interface ............................................................................. 290 Chapter 14 Centrally Managing Smoothwall Systems291 About Centrally Managing Smoothwall Systems....................... 272 Referral Checking .................Smoothwall Advanced Firewall Administrator’s Guide Restoring an Archive ............................................ 264 Deleting Archives ....................................................................................................................................................................................................................................... 272 Configuring Admin Access Options ........................ 274 Managing Tenants .... 283 Testing Failover..................... 264 Uploading an Archive............. 267 Setting System Preferences .................. 272 Configuring External Access ...... 264 Scheduling ........ 270 Configuring the Hostname ......................................... 290 Exporting CA Certificates.................... 279 Prerequisites ................................................. 276 Deleting a Tenant ........................................................................................................................ 276 Hardware ................................................................................................................................. 294 ix .. 264 Scheduling Remote Archiving .............................................................. 292 Configuring Child Nodes ..... 292 Configuring the Parent Node ...... 280 Configuring Hardware Failover...................................................... 291 Setting up a Centrally Managed Smoothwall System .......................................................................... 286 Configuration Tests ....................................................................................................................................................... 280 Administering Failover......... 290 Reviewing CA Certificates .............................................. 274 Administrative User Settings .. 279 How does it work? ........... 288 Whois.. 276 Managing UPS Devices .......................................................................... 286 Diagnostics .

.................................................................................................................... 301 Overview ................. 299 Disabling Nodes ................................ 314 Understanding Groups and Grouped Options ........... 315 Iterative Reporting ........................... 315 Group Ordering ................................................................. 297 Managing Nodes in a Smoothwall System ... 316 Creating Feed-forward and Iterative Groups ............................................................. 308 Example Report.................................................... 311 Changing the Report................................. 297 Monitoring Node Status .................................................... 298 Rebooting Nodes ................................... 296 Deleting Nodes in the System............................................................... 315 Grouping Sections ......................... 302 A Common DNS Pitfall.................. 302 Advanced Firewall and DNS....... 312 Creating Template Reports and Customizing Sections ....................................................... 302 Working with Large Directories................................................................................................................................................................................................... 309 Navigating HTML Reports . 317 x ....................................................................... 299 Appendix A Authentication ............................................................................................................................ 302 About the Login Time-out ..................................................................................... 308 Report Templates.................................................... 304 About Kerberos .........................................................................................................................................................1X Profile Migration.................................... 309 Changing Report Date Ranges .......................... 302 Choosing an Authentication Mechanism....... Creation and Editing ..................................... 303 Accounts and NTLM Identification............................................................................................. 310 Saving Reports ........................................ 306 Appendix B Understanding Templates and Reports......... 307 Example Report Template..................................................... 298 Working with Updates ... 313 Grouped Sections ......................................... 310 Interpreted Results ........................................... 297 Accessing the Node Details Page ....................................................................................................... 316 Exporting Options .............. 304 Kerberos Pre-requisites and Limitations....... 301 Other Authentication Mechanisms............... Exporting and Drill Down Reporting ................................................................................. 304 Troubleshooting .... 314 Feed-Forward Reporting ................. 308 Viewing Reports........................................... 308 Changing Report Formats...........................................................................1X Wireless Network .... 301 About Authentication Mechanisms ..................... 305 Windows 7 802................. 304 Connecting a Windows 7 System to a WPA-Enterprise/802............................... 307 Programmable Drill-Down Looping Engine........................ 311 Investigating Further (Drill down) ......................................................................................................................................................Contents Editing Child Node Settings ............................................................................................... 313 Ordering Sections ................................... 303 Active Directory Username Types..... 301 Verifying User Identity Credentials...... 303 Active Directory........................................................................................................................................................................................................................................

...................................................................................................... 321 General Sections ...................... 349 xi ...................................................................................................................................................................................................................................... 320 Scheduling Reports ........... 335 Extended Hosting Arrangement .................................................... 337 Glossary Index ............................. 332 Enabling L2TP Debugging........ 328 Appendix C Troubleshooting VPNs................Smoothwall Advanced Firewall Administrator’s Guide Reporting Folders .......................... 322 Network Interfaces ............................................................................................ 326 Origin Filtering............ 321 Reporting Sections ............................... 320 Portal Permissions.......................... 320 Renaming Folders ........................................................................ 332 Appendix D Hosting Tutorials............................. 318 Creating a Folder ....................................................... 324 Search Terms and Search Phrases ............................... 322 The Anatomy of a URL....................................................................................................................... 336 More Advanced Hosting Arrangement ............................................................................................................... 323 HTTP Request Methods and HTTPS Interception ......................................................................................................................................................................................................................................... 324 Guardian Status Filtering..... 325 Filtering by Search Terms ............................................... 331 L2TP Road Warrior Problems ....................................................... 335 Basic Hosting Arrangement............. 321 Generators and Linkers ...................................... 331 Site-to-site Problems............................... 341 ............................................................................................................................................................... 326 URL Extraction and Manipulation..................................... 320 Deleting Folders . 332 Windows Networking Issues.

Contents xii .

knowledge base and the latest product manuals. secure remote access and secure wireless connections.Chapter 1 Introduction In this chapter: • An overview of Advanced Firewall • Who should read this guide • User information. Other User Information Apart from this guide. secure remote access and site-to-site IPSec connectivity are provided by the integrated VPN gateway. you can also find information at: • http://www. mail relay and control. • VPN Gateway – site-to-site. • Internal firewall – segregation of networks into physically separate zones with user-level access control of inter-zone traffic • Email Security: anti-spam. Advanced Firewall employs Microsoft Active Directory/ LDAP user authentication for policy based access control to local network zones and Internet services. Secure wireless. Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. Combining the functions of perimeter and internal firewalls. Novell eDirectory and other LDAP authentication servers • Load balancer – the ideal solution for the efficient and resilient use of multiple Internet connections. Who should read this guide? System administrators maintaining and deploying Advanced Firewall should read this guide. anti-malware. Overview of Advanced Firewall Advanced Firewall is the Unified Threat Management system for enterprise networks.net/support contains the Smoothwall support portal. For information on our current training courses. Advanced Firewall provides: • Perimeter firewall – multiple Internet connections with load sharing and automatic connection failover • User authentication – policy-based access control and user authentication with support for Microsoft Active Directory. contact your Smoothwall representative.smoothwall. 1 .

Introduction Other User Information Annual Renewal To ensure that you have all the functionality documented in this guide. For more information. contact your Smoothwall representative. we recommend that you purchase annual renewal. 2 .

enter the address of your Advanced Firewall. Password Enter the password you specified for the admin account when installing Advanced Firewall. Accessing Advanced Firewall To access Advanced Firewall: 1 In a web browser. 3 Enter the following information: Field Information Username Enter admin This is the default Advanced Firewall administrator account.141:441 Note: The example address above uses HTTPS to ensure secure communication with your Advanced Firewall. 2 Accept Advanced Firewall’s certificate.The login screen is displayed. 3 .72. It is possible to use HTTP on port 81 if you are satisfied with less security. for example: https://192.168.Chapter 2 Advanced Firewall Overview In this chapter: • How to access Advanced Firewall • An overview of the pages used to configure and manage Advanced Firewall. Note: The following sections assume that you have registered and configured Advanced Firewall as described in the Advanced Firewall Installation and Setup Guide.

Advanced Firewall Overview Dashboard 4 Click Login. The Dashboard opens. It displays service information and customizable summary reports. The following sections give an overview of Advanced Firewall’s default sections and pages. Dashboard The dashboard is the default home page of your Advanced Firewall system. 4 .

Realtime Pages Description System A realtime view of the system log with some filtering options. Alerts Pages Description Alerts Determine which alerts are sent to which groups of users and in what format. For more information. Email Displays the email log viewer running in realtime mode. see Chapter 11. Understanding Templates and Reports on page 307. Configuring Alert Settings on page 230. IPSec A realtime view of the IPSec log with some filtering options. For more information. IM proxy A realtime view of recent instant messaging conversations. For more information. For more information. Saving Reports on page 220. see Appendix B. For more information. Realtime Instant Messaging on page 237.Smoothwall Advanced Firewall Administrator’s Guide Logs and reports The Logs and reports section contains the following sub-sections and pages: Reports Pages Description Summary Displays a number of generated reports. Scheduling Reports on page 223. For more information. 5 . Custom Enables you to create and view custom reports. Realtime Portal Information on page 236. For more information. For more information. see Chapter 12. see Chapter 12. For more information. Scheduled Sets which reports are automatically generated and delivered. see Chapter 12. see Chapter 12. Generating Reports on page 220. see Chapter 11. see Chapter 12. Realtime Firewall Information on page 234. For more information. see Chapter 11. see Chapter 12. Recent and Lists recently-generated and previously saved reports. For more information. Alert settings Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. Realtime Traffic Graphs on page 237. Alerts on page 227. Portal A realtime view of activity on user portals. Email Logs on page 245. For more information. Firewall A realtime view of the firewall log with some filtering options. For more information. see Chapter 12. Realtime IPsec Information on page 235. see Chapter 12. Traffic graphs Displays a realtime bar graph of the bandwidth being used. see saved Chapter 11. Reports Where you generate and organize reports. Realtime System Information on page 233. For more information. About the Summary Page on page 219. see Chapter 12.

For more information. Firewall Displays all data packets that have been dropped or rejected by the firewall. For more information. For more information. Settings 6 Pages Description Datastore settings Contains settings to manage the storing of log files. IPSec Logs on page 243. see Chapter 12. For more information. see Chapter 12. Reverse proxy Displays information on reverse proxy usage. IM Proxy Logs on page 248. Log settings Settings to configure the logs you want to keep. Configuring Output Settings on page 255. see Chapter 12. For more information. Firewall Logs on page 241. see Chapter 12.Advanced Firewall Overview Logs and reports Logs Pages Description System Simple logging information for the internal system services. see Chapter 12. Groups Where you create groups of users which can be configured to receive automated alerts and reports. For more information. Web Proxy Logs on page 249. automated log deletion and rotation options. IPS Logs on page 247. Reverse Proxy Logs on page 249. Configuring Groups on page 254. For more information. see Chapter 12. recipient. see Chapter 12. For more information. IDS Logs on page 246. Web proxy Displays detailed analysis of web proxy usage. For more information. Email Logs on page 245. an external syslog server. IDS Displays network traffic detected by the intrusion detection system (IDS). For more information. IPSec Displays diagnostic information for VPN tunnels. IM proxy Displays information on instant messaging conversations. For more information. Email Displays sender. Managing Log Retention on page 224. see Chapter 12. System Logs on page 239. IPS Displays network traffic detected by the intrusion detection system (IPS). see Chapter 12. Output settings Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. see Chapter 12. Configuring Log Settings on page 251. For more information. . subject and other email message information. see Chapter 12. For more information. see Chapter 12. see Chapter 11.

Connecting Using a Static Ethernet Connectivity Profile on page 20. For more information. IP block Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. Interfaces Pages Description Interfaces Configure and display information on your Advanced Firewall’s internal interfaces. Creating Subnets on page 39. For more information. RIP Used to enable and configure the Routing Information Protocol (RIP) service on the system. see Chapter 4. For more information. For more information. see Chapter 6. Ports on page 43. For more information. Connectivity Used to create external connection profiles and implement them. see Chapter 4. External aliases allow additional static IPs that have been provided by an ISP to be assigned to the same external interface. 7 . Group Bridging on page 63. Sources Used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. Creating an External Alias Rule on page 45. thus enabling a single physical interface to route packets between IP addresses on a virtual subnet – without the need for physical switches. see Chapter 3. Using RIP on page 40. Internal aliases Used to create aliases on internal network interfaces. see Chapter 3. For more information. see Chapter 4. For more information. see Chapter 5. For more information. Sources on page 42. For more information. see Chapter 6. Creating IP Blocking Rules on page 51. Managing Internal Aliases on page 47. see Chapter 4. External aliases Used to create IP address aliases on static Ethernet external interfaces. see Chapter 4. Configuring Global Settings for Interfaces on page 19. About Zone Bridging Rules on page 59. see Chapter 4. Group bridging Used to define the network zones that are accessible to authenticated groups of users. Routing Pages Description Subnets Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway.Smoothwall Advanced Firewall Administrator’s Guide Networking The Networking section contains the following sub-sections and pages: Filtering Pages Description Zone bridging Used to define permissible communication between pairs of network zones. For more information. Ports Used to create rules to set the external interface based on the destination port. For more information.

For more information. see Chapter 5. External services Used to define a list of external services that should always be accessible to internal network hosts. For more information. For more information. Managing Outbound Traffic and Services on page 72. see Chapter 7. Source mapping Used to map specific internal hosts or subnets to an external alias. see Chapter 7. see Chapter 7. Network Application Helpers on page 70. Creating a Source Mapping Rule on page 46 Advanced Used to enable or disable NAT-ing helper modules and manage bad external traffic. Secondaries Used to configure an additional. Ports Used to define lists of outbound destination ports and services that should be blocked or allowed. see Chapter 7. For more information. Configuring Advanced Networking Features on page 52. Working with Port Groups on page 55. Managing External Services on page 78. see Chapter 7. see Chapter 4. For more information.Advanced Firewall Overview Networking Pages Description PPP Used to create Point to Point Protocol (PPP) profiles that store PPP settings for external connections using dial-up modem devices. Settings Pages Description Port groups Create and edit groups of ports for use throughout Advanced Firewall. Outgoing Pages Description Policies Used to assign outbound access controls to IP addresses and networks. For more information. Working with Outbound Access Policies on page 76. For more information. see Chapter 4. For more information. For more information. Creating a PPP Profile on page 31. Working with Secondary External Interfaces on page 48 Firewall Pages Description Port forwarding Used to forward incoming connection requests to internal network hosts. see Chapter 5. . Advanced 8 Used to configure advanced network and traffic auditing parameters. For more information. secondary external interface. see Chapter 3. Introduction to Port Forwards – Inbound Security on page 67.

Instant Messenger Proxying on page 93.Smoothwall Advanced Firewall Administrator’s Guide Services The Services section contains the following sub-sections and pages: Authentication Pages Description Settings Used to set global login time settings. Managing Kerberos Keytabs on page 212. see Chapter 8. Managing Groups of Users on page 216. see Chapter 10. For more information. For more information. User exceptions This page enables you to override group settings and assign a user directly to a portal. Proxies Pages Description Web proxy Used to configure and enable the web proxy service. Configuring Global Authentication Settings on page 193. Managing User Activity on page 208. For more information. see Chapter 10. usernames. Groups This page enables you to assign groups of users to portals. see Chapter 8. About SSL Authentication on page 209. SSL login Used to customize the end-user SSL login page and configure SSL login redirection and exceptions. Making User Exceptions on page 85. WPA Enterprise Enables you to authenticate users with their own devices and allow them to connect to the network. see Chapter 10. Groups Used to customize group names. see Chapter 10. see Chapter 8. see Chapter 10. For more information. Managing the Web Proxy Service on page 87. User Portal Pages Description Portals This page enables you to configure and manage user portals. For more information. allowing controlled access to the Internet for local network hosts. 9 . see Chapter 10. For more information. For more information. For more information. see messenger Chapter 8. Using WPA Enterprise on page 213. Instant Used to configure and enable instant messaging proxying. Assigning Groups to Portals on page 85. For more information. For more information. Directories Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. Managing Temporarily Banned Users on page 206 User activity Displays the login times. Kerberos keytabs This is where Kerberos keytabs are imported and managed. see Chapter 10. Temporary bans Enables you to manage temporarily banned user accounts. group membership and IP address details of recently authenticated users. see Chapter 8. For more information. About Directory Servers on page 194. Working with Portals on page 81. For more information. see Chapter 10. For more information.

Reverse Proxy Service on page 102. For more information. For more information. FTP Proxying on page 99. SIP Proxying on page 96. FTP Used to configure and enable a proxy to manage FTP traffic. Reverse proxy The reverse proxy service enables you to control requests from the Internet and forward them to servers in an internal network. see Chapter 8. . For more information. see Chapter 8.Advanced Firewall Overview Services 10 Pages Description SIP Used to configure and enable a proxy to manage Session Initiated Protocol (SIP) traffic. see Chapter 8.

For more information. see Chapter 8. see Chapter 8. For more information. For more information. For more information. see Chapter 8. Deploying Intrusion Prevention Policies on page 115. see Chapter 8. For more information. Creating and Applying Message Censor Policies on page 113. Uploading Custom Signatures on page 118. Creating Filters on page 111. Setting Time Periods on page 110. IPS Used to enable and configure policies to monitor network activity using the Intrusion Prevention System (IDS). see Chapter 8. IDS Used to enable and configure policies to monitor network activity using the Intrusion Detection System (IDS). DNS proxy Used to provide a DNS proxy service for local network hosts. see Chapter 8. see Chapter 8. For more information. Policies Enables you to configure Advanced Firewall’s intrusion detection and prevention rules for inclusion in IDS and IPS policies. For more information.Smoothwall Advanced Firewall Administrator’s Guide SNMP Pages Description SNMP Used to activate Advanced Firewall’s Simple Network Management Protocol (SNMP) agent. see Chapter 8. see Chapter 8. Deploying Intrusion Detection Policies on page 114. Creating Custom Policies on page 117. SNMP on page 104. For more information. see Chapter 8. Intrusion System Pages Description Signatures Enables you to deploy customized and automatic rules in the intrusion detection and intrusion prevention systems. For more information. Managing Dynamic DNS on page 107. Time This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. Filters This is where you create and manage filters for matching particular types of message content. see Chapter 8. see Chapter 8. Message Censor Pages Description Policies Enables you to create and manage filtering policies by assigning actions to matched content. For more information. Managing Custom Categories on page 109. DNS Pages Description Static DNS Used to create a local hostname table for the purpose of mapping the hostnames of local network hosts to their IP addresses. For more information. Custom categories Enables you to create and manage custom content categories for inclusion in filters. Adding Static DNS Hosts on page 105. For more information. 11 . Enabling the DNS Proxy Service on page 106 Dynamic DNS Used to configure access to third-party dynamic DNS service providers.

see Chapter 8. see Chapter 8. DHCP Relaying on page 125. and re-route DHCP responses back to the requesting host. including IP address. Creating a DHCP Subnet on page 120. Creating Custom DHCP Options on page 125. see Chapter 8. Viewing DHCP Leases on page 124. For more information. Enabling DHCP on page 120.Advanced Firewall Overview Services DHCP Pages Description Global Used to enable the Dynamic Host Configuration Protocol (DHCP) service and set its mode of operation. see Chapter 8. DHCP leases Used to view all current DHCP leases. DHCP relay Used to configure the DHCP service to forward all DHCP requests to another DHCP server. DHCP server Used to configure automatic dynamic and static IP leasing to DHCP requests received from network hosts. see Chapter 8. lease start and end time. For more information. For more information. and the current lease state. For more information. For more information. . hostname. Custom options 12 Used to create and edit custom DHCP options. MAC address.

see Chapter 13. see Chapter 13. check. For more information. see Chapter 13. Archives on page 262. For more information. see Chapter 13. see Chapter 13. Configuring the User Interface on page 268. Hostname Used to configure Advanced Firewall’s hostname. date and time settings. Setting Time on page 269. For more information. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. enables you configure sending extended registration information to Smoothwall. Child nodes This is where you add and configure nodes in a Smoothwall system. Local node This is where you configure a node to be a parent or child in a Smoothwall system settings and manage central management keys for use in the system. For more information. For more information. Licenses on page 262. Configuring Child Nodes on page 293.Smoothwall Advanced Firewall Administrator’s Guide System The System section contains the following sub-sections and pages: Maintenance Pages Description Updates Used to display and install available product updates. For more information. install and remove Advanced Firewall modules. see Chapter 13. For more information. Managing Nodes in a Smoothwall System on page 297. Time Used to manage Advanced Firewall’s time zone. view. see Chapter 14. Licenses Used to display and update license information for the licensable components of the system. in addition to listing currently installed updates. see Chapter 14. Setting up a Centrally Managed Smoothwall System on page 292. see Chapter 14. see Chapter 13. For more information. For more information. Also. Shutdown Used to shutdown or reboot the system. Modules Used to upload. Managing Modules on page 261. Registration options Used to configure a web proxy if your ISP requires you use one. Preferences Pages Description User interface Used to manage Advanced Firewall’s dashboard settings. Configuring the Hostname on page 271. Configuring Registration Options on page 270. Scheduler Used to automatically discover new system updates. Installing Updates on page 259. Scheduling on page 264. see Chapter 13. For more information. Shutting down and Rebooting on page 267. For more information. Archives Used to create and restore archives of system configuration information. see Chapter 13. Central Management Pages Description Overview This is where you monitor nodes and schedule updates in a Smoothwall system. For more information. modules and licenses. see Chapter 13. 13 . For more information.

For more information. Analyzing Network Traffic on page 289. Managing Hardware Failover on page 279. Managing CA Certificates on page 290. see Chapter 13. For more information. For more information. Traffic analysis Used to generate and display detailed information on current traffic. see Chapter 13. see Chapter 13. see Chapter 13. Configuring External Access on page 273. Diagnostics Used to create diagnostic files for support purposes. Whois on page 288. Administrative users Used to manage user accounts and set or edit user passwords on the system. Administrative User Settings on page 274. IP Tools on page 288. see Chapter 13. For more information. see Chapter 13. see Chapter 13. Diagnostics Pages Description Configuration Used to ensure that your current Advanced Firewall settings are not likely to cause tests problems. Generating Diagnostics on page 287. . Firmware upload Used to upload firmware used by USB modems. Whois Used to find and display ownership information for a specified IP address or domain name. services. For more information. Diagnostics on page 286. For more information. For more information. see Chapter 13. see Chapter 13. Failover Used to specify what Advanced Firewall should do in the event of a hardware failure.Advanced Firewall Overview System Administration Pages Description Admin options Used to enable secure access to Advanced Firewall using SSH. For more information. networks and hosts can be used to administer Advanced Firewall. For more information. Modem Used to create up to five different modem profiles. see Chapter 13. Configuring Admin Access Options on page 272. and to enable referral checking. see Chapter 13. Certificates 14 Page Description Certificate authorities Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. IP tools Contains the ping and trace route IP tools. For more information. Configuring Modems on page 284. For more information. Hardware Pages Description UPS Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. typically used when creating external dial-up connections. see Chapter 13. External access Used to create rules that determine which interfaces. Installing and Uploading Firmware on page 286. For more information. Managing UPS Devices on page 277. For more information. see Chapter 13.

see Chapter 9.1-192. see Chapter 9. see Chapter 9.168. see Chapter 9. Creating L2TP Road Warrior Connections on page 154. The following format is used: 192. Certificates Used to create host certificates if a local CA has been created.168. Certificate authorities Used to create a local certificate authority (CA) for use in an X509 authenticated based VPN setup. SSL roadwarriors Enables you to configure and upload custom SSL VPN client scripts. IP address ranges can span subnets. For more information.10. see Chapter 9.10. Specifying Networks. see Chapter 9. For more information. It is also possible to import and export CA certificates on this page.1-192. Managing VPN Systems on page 175.168. Managing Certificates on page 134. export.168. Site-to-Site VPNs – IPSec on page 138.Smoothwall Advanced Firewall Administrator’s Guide VPN The VPN section contains the following pages: Pages Description Control Used to show the current status of the VPN system and enable you to stop and restart the service.168. Hosts and Ports IP Address An IP address defines the network location of a single network host. L2TP roadwarriors Used to create and manage L2TP road warrior VPN tunnels. Global Used to configure global settings for the VPN system. IPSec roadwarriors Used to configure IPSec road warrior VPN tunnels. For more information. Setting the Default Local Certificate on page 137. For more information. This page also provides controls to import. For more information.10.20 192. IPSec subnets Used to configure IPSec subnet VPN tunnels. Configuration Guidelines This section provides guidance about how to enter suitable values for frequently required configuration settings. see Chapter 9. view and delete host certificates. IPSec Road Warriors on page 151. For more information.255 15 . see Chapter 9.1 IP Address Range An IP address range defines a sequential range of network hosts. For more information. For example: 192. Working with Certificate Authorities and Certificates on page 131. For more information. Managing Custom Client Scripts for SSL VPNs on page 164.12.10. from low to high.

168.248.255.255.Advanced Firewall Overview Configuration Guidelines Subnet Addresses A network or subnet range defines a range of IP addresses that belong to the same network. Examples: 21 7070 Port Range A 'Port range' can be entered into most User defined port fields. choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Some pages allow a network mask to be entered separately for ease of use. Creating a Rule To create a rule: 1 Enter configuration details in the Add a new rule area. IP block rules and administration access rules. 2 Click Add to create the rule and add it to the appropriate Current rules area. Editing a Rule To edit a rule: 1 16 Find the rule in the Current rules area and select its adjacent Mark option.0 Service and Ports A Service or Port identifies a particular communication port in numeric format. Examples: 255.0.0 255.255. and can be entered in two ways: 192.255.0 255. Editing and Removing Rules Much of Advanced Firewall is configured by creating rules – for example.0/255. To use a custom port number. For ease of use. The format combines an arbitrary IP address and a network mask.0/24 Netmasks A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address.10.0 192. Creating. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement.255. The following format is used: 137:139 Using Comments Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment.168.255. a number of well known services and ports are provided in Service drop-down lists. Comments are entered in the Comment fields and displayed alongside saved configuration information. .10. in order to describe a sequential range of communication ports from low to high.

such as PuTTY. the Add a new rule and Current rules area will be Add a new host and Current users etc. On such pages. 3 Change the configuration values as necessary. Connecting via the Console You can access Advanced Firewall via a console using the Secure Shell (SSH) protocol. To connect using an SSH client: 1 Check SSH access is enabled on Advanced Firewall. 2 Start PuTTY or an equivalent client. Configuring Admin Access Options on page 272 for more information. See Chapter 13. Note: The same processes for creating. See Chapter 13. Advanced Firewall only allows SSH access if it has been specifically configured. you can connect to Advanced Firewall via a secure shell application. 17 . Note: By default. Configuring Admin Access Options on page 272 for more information. Removing a Rule To remove one or more rules: 1 Select the rule(s) to be removed in the Current rules area.Smoothwall Advanced Firewall Administrator’s Guide 2 Click Edit to populate the configuration controls in the Add a new rule area with the rule’s current configuration values. 3 Enter the following information: Field Description Host Name (or IP address) Enter Advanced Firewall’s host name or IP address. 4 Click Add to re-create the edited rule and add it to the Current rules area. 2 Click Remove to remove the selected rule(s). editing and removing rules also apply to a number of pages where hosts and users are the configuration elements being created. Connecting Using a Client When SSH access is enabled.

Note: The data traveling between your browser and Advanced Firewall is secure and encrypted. Unknown Entity Warning This issue is one of identity. See your browser’s documentation for information on how to import the certificate. access Advanced Firewall using the hostname. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site. enter root. They simply serve to illustrate that HTTPS is also about identity as well encryption. To remove this warning. In most cases. and in Advanced Firewall’s case. Usually. and the password associated with it. your web browser needs to be told to trust certificates generated by Advanced Firewall. your browser will display a warning that Advanced Firewall’s certificate is invalid. To remove this warning. Click Open. Neither of the above issues compromise the security of HTTPS access. 18 . When prompted. the names will not match. then this warning will always be generated. and you are accessing the site by some other name. ‘ Secure Communication When you connect your web browser to Advanced Firewall’s web-based interface on a HTTPS port for the first time. browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. If this is not possible. A certificate can only contain a single site name. To do this. Inconsistent Site Address Your browser will generate a warning if Advanced Firewall’s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. However. The details of how this are done vary between browsers and operating systems. the hostname is used. Advanced Firewall’s certificate is a self-signed certificate.Advanced Firewall Overview Secure Communication 4 Field Description Port Enter 222 Protocol Select SSH. secure web sites on the Internet have a security certificate which is signed by a trusted third party. for example. import the certificate into your web browser. You are given access to the Advanced Firewall command line. If you try to access the site using its IP address.

19 . To configure global settings: 1 Browse to the Networking > Interfaces > Interfaces page. Configuring Global Settings for Interfaces Global settings determine Advanced Firewall’s default gateway and primary and secondary DNS addresses.Chapter 3 Working with Interfaces In this chapter: • Configuring global settings for interfaces • Creating an Internet connectivity profile • Working with bridges • Working with bonded interfaces • Managing Advanced Firewall’s network interfaces • Changing the IP address.

Connecting Using an Internet Connectivity Profile Advanced Firewall supports the following Internet connection methods: Connection Method Description Ethernet An Ethernet NIC routed to an Internet connection. if more than one default gateway has been configured. Note: Advanced Firewall’s default gateway should only be configured on one interface. Advanced Firewall and DNS on page 302. To connect using a static ethernet connectivity profile: 1 On the Networking > Interfaces > Interfaces page. Secondary DNS Enter the IP address of the secondary DNS server. controlled by Advanced Firewall. you may lose connectivity to Advanced Firewall if your network is not set up correctly. Up to five different connections to the Internet can be defined. The following sections explain how to connect using different connection methods. When using a connectivity profile to connect to the Internet. Primary DNS If Advanced Firewall is to be integrated as part of an existing DNS infrastructure. A modem profile is used solely for connections using dial-up modems. A modem profile contains hardware and dialling preferences to control the behavior of dial-up modem devices. each stored in its own connectivity profile. and you do not select this option. if one is available. For more information. enter the appropriate DNS server information within the existing infrastructure. see Connecting Using an Internet Connectivity Profile on page 20. 20 .Working with Interfaces Connecting Using an Internet Connectivity Profile The following settings global interface settings are available: Setting Description Default gateway This setting determines Advanced Firewall’s default gateway. controlled by Advanced Firewall. A static Ethernet connection enables Advanced Firewall to use a static IP address as assigned by your ISP. Modem An internal or external modem connected to the Internet via an ISP. select the Use external connectivity profile option. However. Each profile defines the type of connection that should be used and appropriate settings. Connecting Using a Static Ethernet Connectivity Profile The following section explains how to connect to the Internet using a static ethernet connectivity profile. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. see Appendix A. Ethernet/modem hybrid An Ethernet NIC routed to an external modem connected to the Internet via an ISP. For more information. not controlled by Advanced Firewall.

configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. Note: If no load balance settings are enabled. Note: If no load balance settings are enabled. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. 3 In the Edit interface dialog box. Profile name Enter a name for the connection profile. deselect this option. Note: Using this option. Secondary failover ping IP Optionally.Smoothwall Advanced Firewall Administrator’s Guide 2 Point to the network interface card (NIC) you want to use and select Edit. enter the maximum transmission unit (MTU) value required in your environment. If the primary and secondary IP addresses cannot be contacted. If you wish boot to disable this behavior. all traffic will be sent out of the primary external connection. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. Auto connect on By default. all traffic will be sent out of the primary external connection. the connection will failover. enter it here. Method Select Static Ethernet. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. MTU Optionally. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. If your ISP provides a custom MTU value. if another profile has been chosen in the Automatic failover to profile drop-down menu. if another profile has been chosen in the Automatic failover to profile drop-down menu. all connections will automatically connect at boot time. 21 . Use as Select External. Automatic Optionally. On the Networking > Interfaces > Connectivity page. Load balancing is performed according to the respective weights of each connection. There is also a reboot option which you can use to restart the system if all of the connections fail. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. enter a secondary IP address known to be contactable if the external connection is operating correctly. configure the following settings: 4 Setting Description Name Accept the default name or enter a custom name. If the primary and secondary IP addresses cannot be contacted. the connection will failover. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields.

as assigned by the ISP. Auto connect on By default. Profile name Enter a name for the connection profile. configure the following settings: Setting Description Interface From the drop-down list. Use as Select External. select the Ethernet interface for this connection. you may lose connectivity to Advanced Firewall if your network is not set up correctly. Note: Advanced Firewall’s default gateway should only be configured on one interface.Working with Interfaces Connecting Using an Internet Connectivity Profile 5 Click Update. 2 Point to the network interface card (NIC) you want to use and select Edit. On the Networking > Interfaces > Connectivity page. Method Select DHCP Ethernet. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. However. Connecting using a DHCP Ethernet Connectivity Profile The following section explains how to connect to the Internet using a DHCP Ethernet connectivity profile. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. if more than one default gateway has been configured. To connect using a DHCP Ethernet connectivity profile: 1 On the Networking > Interfaces > Interfaces page. configure the following settings: 4 Setting Description Name Accept the default name or enter a custom name. Secondary DNS Enter the secondary DNS server details as provided by your ISP. 6 Address Enter the static IP address provided by your ISP. 3 In the Edit interface dialog box. Primary DNS Enter the primary DNS server details as provided by your ISP. deselect this option. Click Save and connect to save the profile and connect to the Internet immediately. all connections will automatically connect at boot time. Default gateway Enter the default gateway IP address as provided by your ISP. . MTU Optionally. Netmask Enter the subnet mask as provided by your ISP. A DHCP Ethernet connection enables Advanced Firewall to be allocated a dynamic IP address. and you do not select this option. If your ISP provides a custom MTU value. If you wish boot to disable this behavior. Custom MTU 22 Some ISPs supply additional settings that can be used to improve connection performance. enter it here. In the Static Ethernet settings area. enter the maximum transmission unit (MTU) value required in your environment.

Weighting 5 6 Select from the drop-down list to assign an external connection in the load balancing pool. DHCP Hostname Optionally enter a DHCP hostname. Click Update and in the DHCP Ethernet settings area. Connecting using a PPP over Ethernet Connectivity Profile The following section explains how to connect to the Internet using a PPP over Ethernet connectivity profile. 23 . Click Save and connect to save the profile and connect to the Internet immediately. Secondary failover ping IP Optionally. Load balancing is performed according to the respective weights of each connection. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. MAC spoof Enter a spoof MAC value required. Note: If no load balance settings are enabled. select the Ethernet interface for this connection. There is also a reboot option which you can use to restart the system if all of the connections fail. Note: If no load balance settings are enabled. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. configure the following settings: Setting Description Interface From the drop-down list. enter a secondary IP address known to be contactable if the external connection is operating correctly. if another profile has been chosen in the Automatic failover to profile drop-down menu. the connection will failover. If the primary and secondary IP addresses cannot be contacted. If the primary and secondary IP addresses cannot be contacted. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Automatic Optionally. Note: Using this option. the connection will failover. all traffic will be sent out of the primary external connection. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. if provided by your ISP. all traffic will be sent out of the primary external connection. if another profile has been chosen in the Automatic failover to profile drop-down menu.

On the Networking > Interfaces > Connectivity page. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select.Working with Interfaces Connecting Using an Internet Connectivity Profile To connect using a PPP over Ethernet connection: 1 On the Networking > Interfaces > Interfaces page. if another profile has been chosen in the Automatic failover to profile drop-down menu. deselect this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. enter it here. If the primary and secondary IP addresses cannot be contacted. Auto connect on By default. enter the maximum transmission unit (MTU) value required in your environment. Note: Using this option. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. If you wish boot to disable this behavior. Secondary failover ping IP Optionally. 24 . 2 Point to the network interface card (NIC) you want to use and select Edit. if another profile has been chosen in the Automatic failover to profile drop-down menu. If your ISP provides a custom MTU value. Automatic Optionally. if more than one default gateway has been configured. enter a secondary IP address known to be contactable if the external connection is operating correctly. the connection will failover. Use as Select External. There is also a reboot option which you can use to restart the system if all of the connections fail. MTU Optionally. all connections will automatically connect at boot time. you may lose connectivity to Advanced Firewall if your network is not set up correctly. configure the following settings: 4 Setting Description Name Accept the default name or enter a custom name. If the primary and secondary IP addresses cannot be contacted. Method Select PPP over Ethernet. Profile name Enter a name for the connection profile. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. the connection will failover. 3 In the Edit interface dialog box. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: Advanced Firewall’s default gateway should only be configured on one interface. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. and you do not select this option. However.

PPP Profile From the drop-down list. MTU Optionally. you may lose connectivity to Advanced Firewall if your network is not set up correctly. Click Update. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. 25 . select the PPP profile for this connection. all traffic will be sent out of the primary external connection. Note: Advanced Firewall’s default gateway should only be configured on one interface. configure the following settings: Setting Description Service name If required. Weighting 5 Select from the drop-down list to assign an external connection in the load balancing pool. Note: If no load balance settings are enabled. Or. Load balancing is performed according to the respective weights of each connection. Connecting using a PPTP over Ethernet Connectivity Profile This section explains how to configure Advanced Firewall to use a PPTP modem for Internet connectivity. In the PPP over Ethernet settings area. To connect using a PPTP over Ethernet connection: 1 On the Networking > Interfaces > Interfaces page. enter the service name as specified by your ISP. Note: If no load balance settings are enabled. select the Ethernet interface for this connection. and you do not select this option. However. 6 Interface From the drop-down list. enter the concentrator name as specified by your ISP. if more than one default gateway has been configured. 2 Point to the network interface card (NIC) you want to use and select Edit.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Use as Select External. Click Save and connect to save the profile and connect to the Internet immediately. if no PPP profile has been created. 3 In the Edit interface dialog box. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. all traffic will be sent out of the primary external connection. Concentrator If required. configure the following settings: Setting Description Name Accept the default name or enter a custom name. click Configure PPP to go to the Networking > Interfaces > PPP page and create one. enter the maximum transmission unit (MTU) value required in your environment.

the connection will failover. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. all connections will automatically connect at boot time. Load balancing is performed according to the respective weights of each connection. Secondary failover ping IP Optionally. Weighting 5 Select from the drop-down list to assign an external connection in the load balancing pool. If the primary and secondary IP addresses cannot be contacted. click Configure PPP to go to Networking > Interfaces > Interfaces and create one. Note: If no load balance settings are enabled. Profile name Enter a name for the connection profile. select the PPP profile for this connection. Auto connect on By default. enter it here. if another profile has been chosen in the Automatic failover to profile drop-down menu. If the primary and secondary IP addresses cannot be contacted. Note: If no load balance settings are enabled. There is also a reboot option which you can use to restart the system if all of the connections fail. Click Update. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Automatic Optionally. If you wish boot to disable this behavior. 26 . Or.Working with Interfaces Connecting Using an Internet Connectivity Profile 4 On the Networking > Interfaces > Connectivity page. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. deselect this option. select the Ethernet interface for this connection. Note: Using this option. For more information. PPP Profile From the drop-down list. If your ISP provides a custom MTU value. all traffic will be sent out of the primary external connection. if another profile has been chosen in the Automatic failover to profile drop-down menu. if no PPP profile has been created. configure the following settings: Setting Description Interface From the drop-down list. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. enter a secondary IP address known to be contactable if the external connection is operating correctly. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. the connection will failover. Method Select PPPTP over Ethernet. see Creating a PPP Profile on page 31. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. all traffic will be sent out of the primary external connection. In the PPTP over Ethernet settings area.

If your ADSL connection uses a PPPoE connection. To connect using an ADSL/DSL modem connectivity profile: 1 On the Networking > Interfaces > Connectivity page. 27 . Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. Profile name Enter a name for the connection profile.Smoothwall Advanced Firewall Administrator’s Guide 6 Setting Description Address Enter the IP address assigned by your ISP. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Click Save and connect to save the profile and connect to the Internet immediately. deselect this option. if another profile has been chosen in the Automatic failover to profile drop-down menu. For further information. Connecting using an ADSL/DSL Modem Connectivity Profile Advanced Firewall can connect to the Internet using an ADSL modem. Gateway Enter the gateway assigned by your ISP Telephone Enter the dial telephone number as provided by your ISP. see the Advanced Firewall Installation and Setup Guide. If the primary and secondary IP addresses cannot be contacted. all connections will automatically connect at boot time. Secondary failover ping IP Optionally. If the primary and secondary IP addresses cannot be contacted. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. Auto connect on By default. Automatic Optionally. Method Select ADSL modem. Note: Using this option. enter a secondary IP address known to be contactable if the external connection is operating correctly. see Connecting using a PPP over Ethernet Connectivity Profile on page 23 for more information. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. the ADSL device must have been either configured during the initial installation and setup or post-installation by launching the setup program from the system console. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. the connection will failover. enter it here. Note: To connect using an ADSL modem. Netmask Enter the netmask assigned by your ISP. the connection will failover. There is also a reboot option which you can use to restart the system if all of the connections fail. if another profile has been chosen in the Automatic failover to profile drop-down menu. If your ISP provides a custom MTU value. If you wish boot to disable this behavior.

If you wish boot to disable this behavior. Auto connect on By default. To connect using an ISDN modem connectivity profile: 1 On the Networking > Interfaces > Connectivity page. select the PPP profile for this connection. It is not required for this type of profile. Weighting 2 Select from the drop-down list to assign an external connection in the load balancing pool. In the ADSL modem settings area. Note: If no load balance settings are enabled. For further information. all traffic will be sent out of the primary external connection. Note: If no load balance settings are enabled. 3 Click Save and connect to save the profile and connect to the Internet immediately. if no PPP profile has been created. all connections will automatically connect at boot time.Working with Interfaces Connecting Using an Internet Connectivity Profile Setting Description Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. all traffic will be sent out of the primary external connection. ISDN devices can be configured post-installation by launching the setup program from the system console. Click Update. see the Advanced Firewall Installation and Setup Guide. PPP Profile From the drop-down list. It is not required for this type of profile. Alternatively. Load balancing is performed according to the respective weights of each connection. If your ISP provides a custom MTU value. see Creating a PPP Profile on page 31. click Configure PPP to go to Networking > Interfaces > PPP page and create one. Method Select ISDN TA. This section explains how to configure Advanced Firewall to connect to the Internet using an ISDN modem for Internet connectivity. enter it here. Custom MTU 28 Some ISPs supply additional settings that can be used to improve connection performance. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. Or. deselect this option. an ISDN device must have been configured during the initial installation and setup of Advanced Firewall. . For more information. Concentrator Leave this field blank. Profile name Enter a name for the connection profile. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Connecting using an ISDN Modem Connectivity Profile Note: The following sections apply if an ISDN modem is installed in your Advanced Firewall. Note: To connect using an ISDN modem. configure the following settings: Setting Description Service name Leave this field blank.

If the primary and secondary IP addresses cannot be contacted. Or. Note: If no load balance settings are enabled. Forcing the second channel to stay up will help prevent this from happening. if another profile has been chosen in the Automatic failover to profile drop-down menu. the connection will failover. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Automatic Optionally. For more information. Click Update. all traffic will be sent out of the primary external connection. There is also a reboot option which you can use to restart the system if all of the connections fail. In the ISDN settings area. If this occurs in dual channel mode. Keep second channel up Select to force the second channel to remain open when its data rate falls below a worthwhile threshold. Load balancing is performed according to the respective weights of each connection. Note: If no load balance settings are enabled. If the primary and secondary IP addresses cannot be contacted. and the data-rate of the second channel decreases below a threshold where it is of no benefit. see Creating a PPP Profile on page 31. enter a secondary IP address known to be contactable if the external connection is operating correctly. Telephone Enter the telephone number for the ISDN connection. Weighting 2 Select from the drop-down list to assign an external connection in the load balancing pool. select the PPP profile for this connection. if another profile has been chosen in the Automatic failover to profile drop-down menu. depending on whether you are using one or two ISDN lines. Secondary failover ping IP Optionally. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. select either Single channel or Dual channel. Note: ISDN connections sometimes suffer from changeable data throughput rates. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. all traffic will be sent out of the primary external connection. Advanced Firewall will automatically close it. configure the following settings: Setting Description PPP Profile From the drop-down list. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. click Configure PPP to go to the Networking > Interfaces > Interfaces page and create one. if no PPP profile has been created. 29 . the connection will failover. Channels From the drop-down list. Note: Using this option. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly.

the connection will failover. all traffic will be sent out of the primary external connection. To connect using a dial-up modem connectivity profile: 1 On the Networking > Interfaces > Connectivity page. if another profile has been chosen in the Automatic failover to profile drop-down menu. enter a secondary IP address known to be contactable if the external connection is operating correctly. If your ISP provides a custom MTU value.Working with Interfaces Connecting Using an Internet Connectivity Profile 3 Setting Description Minimum time to keep second channel up (sec) Enter a minimum time. Secondary failover ping IP Optionally. If the primary and secondary IP addresses cannot be contacted. all connections will automatically connect at boot time. Note: Using this option. Method Select Modem. 30 . if another profile has been chosen in the Automatic failover to profile drop-down menu. if your ISDN connection experiences intermittent loss of data throughput for short periods of time. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. enter it here. Click Save to save the profile or Save and connect to save the profile and use it to connect to the Internet immediately. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. in seconds. This option is of use when the second channel data-rate falls below the threshold for short periods of time. Auto connect on By default. There is also a reboot option which you can use to restart the system if all of the connections fail. If the primary and secondary IP addresses cannot be contacted. Profile name Enter a name for the connection profile. If you wish boot to disable this behavior. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Automatic Optionally. the connection will failover. Note: If no load balance settings are enabled. deselect this option. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. Connecting Using a Dial-up Modem Connectivity Profile This section explains how to connect to the Internet using a dial-up modem for Internet connectivity.

configure the following settings: Setting Description PPP Profile From the drop-down list. select the modem profile to use. see Creating a PPP Profile on page 31. 31 . Click Update. if no PPP profile has been created. This is useful for creating multiple profiles to ISPs that support a range of access technologies that are authenticated via the same user account. 3 Modem profile From the drop-down list. Or. including ISDN. Note: If no load balance settings are enabled. all traffic will be sent out of the primary external connection. attached to Advanced Firewall. Creating a PPP Profile Up to five PPP profiles can be created to store username. A PPP profile contains the username. For more information. select the PPP profile for this connection. Weighting 2 Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection. Click Save and connect to save the profile and use it to connect to the Internet immediately. The advantage of storing these settings in a PPP profile is that multiple connection profiles can refer to the same authentication and dial settings.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. password and other settings used for dial-up type connections. password and connection-specific details for connections where Advanced Firewall controls the connecting device. and Ethernet/modem hybrid devices. In the Modem settings area. click Configure PPP to go to Networking > Interfaces > Interfaces and create one. Telephone Enter the telephone number for the connection. See Configuring Modems on page 284 for more information on modem profiles.

regardless of the value entered in the Idle timeout field. Persistent connection Select to ensure that once this PPP connection has been established. Idle timeout Enter the number of minutes that the connection must remain inactive for before it is automatically closed by Advanced Firewall. Ensure that the relevant script type has been selected in the Method drop-down list. if your ISP informs you to do so. Password Enter your ISP assigned password. Maximum retries Enter the maximum number of times that Advanced Firewall will try to connect following failure to connect. Dial on Demand Select to ensure that the PPP connection is only established if an outwardbound request is made. This may help reduce costs if your ISP uses per unit time billing. 2 Configure the following settings: Setting Description Profiles From the drop-down list. it will remain connected. enter the primary DNS server IP address.Working with Interfaces Creating a PPP Profile To create a PPP profile: 1 Navigate to the Networking > Interfaces > PPP page. Script name Enter the name of a logon script here. Method Choose the authentication method as specified by your ISP in this field. Type Specifies the DNS type used by your ISP. Dial on Demand Select to ensure that the system dials for DNS requests – this is normally the for DNS desired behavior. Automatic – select if your ISP automatically allocates DNS settings upon connection. select Empty. Primary DNS 32 If Manual has been selected. Manual – select if your ISP has provided you with DNS server addresses to enter. Enter 0 to disable this setting. Username Enter your ISP assigned username. . Profile name Enter a name for the profile.

2 In the Add new interface dialog box. 3 Click Save. select the profile you wish to modify and click Select. 2 Click Delete. Note: Any changes made to a profile used in a current connection will only be applied following reconnection. Advanced Firewall deletes the profile. 3 Click Save to save your settings and create a PPP profile. edit and delete bridges. configure the following settings: Setting Description Name Enter a name for the bridge. Modifying Profiles To modify a profile: 1 On the Networking > Interfaces > Connectivity page. click Add new interface. Type Select Bridge. Creating Bridges To create a bridge: 1 On the Networking > Interfaces > Interfaces page. Deleting Profiles To delete a profile: 1 On the Networking > Interfaces > Connectivity page. Note: Deleting a profile used as part of a current connection will cause the current connection to close. enter the secondary DNS server IP address. Ports From the ports listed as available. Advanced Firewall modifies the profile. Use as Select one of the following: External – Select to use the bridge as an external interface. from the Profiles drop-down list. Basic interface – Select to use the bridge as an interface with one or more IP addresses on it. Working with Bridges It is possible to deploy Advanced Firewall in-line using two or more NICs to create a transparent bridge on which Deep Packet Inspection is possible. select the profile you wish to modify and click Select. 2 Make the changes. See Connecting Using an Internet Connectivity Profile on page 20 for information on the settings. The following sections explain how to create.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Secondary DNS If Manual has been selected. from the Profiles drop-down list. select the ports to be used as bridge members. 33 .

Working with Interfaces Working with Bonded Interfaces 3 Setting Description MAC Accept the displayed MAC address or enter a new one. Bridge member – Select to use the bond as a member of a bridge. Editing Bridges To edit a bridge: 1 On the Networking > Interfaces > Interfaces page. For more information. Click Add. configure the following settings: Setting Description Name Enter a name for the bond. Creating Bonds To create a bond: 1 On the Networking > Interfaces > Interfaces page. see Working with Bridges on page 33. Advanced Firewall applies the changes. Advanced Firewall adds the bond to the list on the Networking > Interfaces > Interfaces page. MAC 3 34 Accept the displayed MAC address or enter a new one. 2 When prompted. Type Select Bonding. Bonding enables the NICs to act as one thus providing high availability. See Creating Bridges on page 33 for information on the settings available. Basic interface – Select to use the bond as an interface with one or more IP addresses on it. select the ports to be used as bond members. Advanced Firewall adds the bridge to the list on the Networking > Interfaces > Interfaces page. . click Add new interface. Advanced Firewall deletes the bridge. Click Add. 2 In the Add new interface dialog box. Use as Select one of the following: External – Select to use the bond as an external interface. point to the bridge and click Delete. point to the bridge and click Edit. 3 Click Save changes. Working with Bonded Interfaces Advanced Firewall enables you to bind two or more NICs into a single bond. Ports From the ports listed as available. click Delete to confirm you want to delete the bridge. 2 In the Edit interface dialog box. Deleting Bridges To delete a bridge: 1 On the Networking > Interfaces > Interfaces page. make the changes needed.

2 When prompted. 35 . Adding an IP Address To add an IP address: 1 On the Networking > Interfaces > Interfaces page. Advanced Firewall applies the changes. See Creating Bonds on page 34 for information on the settings available. click Add new address. enter a gateway. make the changes needed and click Save changes. Subnet mask Enter the subnet mask. Configuring IP Addresses The following sections explain how to add. See Chapter 4. In the Add new address dialog box. make the changes needed. Note: External aliases are configured on the Networking > Interfaces > External aliases page. click on the interface you want to add an IP address to. 2 In the IP addresses dialog box. 2 In the Edit interface dialog box. Advanced Firewall deletes the bond. Advanced Firewall adds the IP address to the interface. point to the bond and click Delete. Click Add. 3 In the Edit address dialog box. Editing an IP Address To edit an IP address: 1 On the Networking > Interfaces > Interfaces page.Smoothwall Advanced Firewall Administrator’s Guide Editing Bonds To edit a bond: 1 On the Networking > Interfaces > Interfaces page. Deleting Bonds To delete a bond: 1 On the Networking > Interfaces > Interfaces page. Advanced Firewall applies the changes. click on the interface whose IP address you want to edit. Creating an External Alias Rule on page 45 for more information. click Delete to confirm you want to delete the bond. point to the bond and click Edit. point to the address and click Edit. IP address Enter an IP address. 2 In the IP addresses dialog box. Gateway Optionally. edit and delete IP addresses used by interfaces. configure the following settings: 3 Setting Description Status Select Enabled to enable the IP address for the NIC. 3 Click Save changes.

Parent interface From the drop-down list of NICs available.Working with Interfaces Virtual LANs Deleting an IP Address To edit an IP address: 1 On the Networking > Interfaces > Interfaces page. point to the address and click Delete. Spoof MAC – Optionally. For more information. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. Type Select VLAN. click on the interface whose IP address you want to delete. consult the documentation supplied by your ISP and modem supplier. click Delete. For more information about whether MAC spoof settings are required. configure the following settings: Setting Description Name Enter a name for the VLAN. VLAN ID If required. Creating a VLAN To create a VLAN: 1 On the Networking > Interfaces > Interfaces page. just as if it were a regular network zone attached to a real NIC. 2 In the Add new interface dialog box. For more information about whether MAC spoof settings are required. see Working with Bridges on page 33. Each VLAN is treated by Advanced Firewall as an isolated network zone. enter a spoof MAC if required. 2 In the IP addresses dialog box. Bridge interface – From the drop-down list. For more information about whether MAC spoof settings are required.4095 to create a separate network. enter a spoof MAC if required. consult the documentation supplied by your ISP and modem supplier. Bridge member – Select to use the VLAN as part of a bridge. enter a tag in the range 1 . Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. click Add new interface. Spoof MAC – Optionally. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. 3 When prompted. 36 . select the interface to use. enter a spoof MAC if required. Basic interface – Select to use the VLAN as a basic interface. consult the documentation supplied by your ISP and modem supplier. Virtual LANs Advanced Firewall supports the creation of Virtual LANs (VLANs) by binding a virtual network interface to a regular NIC on the system. Note: We do not recommend using a VLAN tag of 1 as this can cause problems with some equipment Use as External – Select to use the VLAN as an external interface. Spoof MAC – Optionally. Advanced Firewall deletes the address. select which bridge interface to use.

The VLAN is added to the list of interfaces below where you can configure it.Smoothwall Advanced Firewall Administrator’s Guide 3 Click Add. 2 When prompted. Deleting a VLAN To delete a VLAN: 1 On the Networking > Interfaces > Interfaces page. 2 In the Edit interface dialog box. See Creating a VLAN on page 36 for information on the settings available. Advanced Firewall deletes the VLAN. click Delete to confirm. point to the VLAN and click Delete. 37 . point to the VLAN and click Edit. make the changes needed and click Save changes. Editing a VLAN To edit a VLAN: 1 On the Networking > Interfaces > Interfaces page.

Working with Interfaces Virtual LANs 38 .

Note: This functionality only applies to subnets available via an internal gateway. To create a subnet rule: 1 Navigate to the Networking > Routing > Subnets page. 2 Configure the following settings: Setting Description Network Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value. usually with network hubs and switches. Netmask Enter a network mask that specifies the size of the subnet when combined with the network field. 39 .Chapter 4 Managing Your Network Infrastructure In this chapter: • Creating subnets and internal subnet aliases • Enabling and configuring the RIP service Creating Subnets Large organizations often find it advantageous to group computers from different departments. floors and buildings into their own subnets.

This will be an address on a locally recognized network zone. Click Add. with 0 being the highest priority and the default for new routes. . Advanced Firewall’s RIP service can: • Operate in import. Editing and Removing Subnet Rules To edit or remove existing subnet rules. export or combined import/export mode • Support password and MD5 authentication • Export direct routes to the system’s internal interfaces. Using RIP The Routing Information Protocol (RIP) service enables network-wide convergence of routing information amongst gateways and routers. use Edit and Remove in the Current rules area. A RIP-enabled gateway passes its entire routing table to its nearest neighbor. This sets the order in which the route is evaluated. typically every 30 seconds. The rule is added to the Current rules table. Comment Enter a description of the rule.Managing Your Network Infrastructure Using RIP Setting Description Gateway Enter the IP address of the gateway device by which the subnet can be found. 3 Metric Enter a router metric to set the order in which the route is taken. Enabled Select to enable the rule. It is necessary for Advanced Firewall to be able to route to the gateway device in order for the subnet to be successfully configured. To configure the RIP service: 1 40 Navigate to the Networking > Routing > RIP page. The gateway address must be a network that Advanced Firewall is directly attached to.

MD5 In this mode.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Enabled Select to enable the RIP service. Note: There is a performance trade-off between the number of RIP-enabled devices. Logging level From the drop-down menu. administrators responsible for larger networks should consider increasing the RIP scan interval or the suitability of the RIP service for propagating routing information. select the level of logging. Accordingly. an MD5 hashed password is specified which must match other RIP devices. re-enter the password to confirm it. Scan interval From the drop-down menu. Export The RIP service will only broadcast its routing tables for use by other RIP enabled gateways. select how to manage routing information. Authentication Enabling RIP authentication ensures that routing information is only imported and exported amongst trusted RIP-enabled devices. Select one of the following options to manage authentication: None In this mode. 41 . The following options are available: Import and Export The RIP service will add and update its routing table from information received from other RIP enabled gateways. We do not recommend this option from a security standpoint. Again If Password is selected as the authentication method. Password In this mode. Direction From the drop-down menu. Password If Password is selected as the authentication method. The RIP service will also broadcast its routing tables for use by other RIP enabled gateways. For networks with greater numbers of hosts. a plain text password is specified which must match other RIP devices. RIP interfaces Select each interface that the RIP service should import/export routing information to/from. routing information can be imported and exported between any RIP device. select the time delay between routing table imports and exports. Import The RIP service will add and update its routing table from information received from other RIP enabled gateways. network hosts and the scan frequency of the RIP service. The periodic exchange of routing information between RIP-enabled devices increases the ambient level of traffic on the host network. choose a less frequent scan interval. Select a frequent scan interval for networks with fewer hosts. enter a password for RIP authentication.

For more information. see About IP Address Definitions on page 43. 2 Configure the following settings: 42 Setting Description Source IP or network Enter the source IP or subnet range of internal network host(s) specified by this rule. Sources The Sources page is used to configure source rules which determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. select the internal interface that the source IP must originate from to use the external connection. . Source rules can be created for individual hosts. This ensures that other RIP devices are able to route directly and efficiently to each exported interface. Internal interface From the drop-down menu. ranges of hosts or subnet ranges. select interfaces whose information should also include routes to the RIP service’s own interfaces when exporting RIP data. Creating Source Rules Source rules route outbound traffic from selected network hosts through a particular external interface. 3 Click Save.Managing Your Network Infrastructure Sources Setting Description Direct routing interfaces Optionally. To create a source rule: 1 Navigate to the Networking > Routing > Sources page.

see Sources on page 42. Note: The rules specified on the sources pages will always be examined first. so a rule will only travel down this list of ports if it does not first hit a sources rule. Enabled Select to activate the rule. enter a description for the source rule.168.1 IP subnet [dotted decimal] – An arbitrary IP address and network mask that specifies a subnet range of IP addresses. 2 Alter the configuration values as necessary.10. Ports The Ports page is where you route outbound traffic for selected ports through a particular external interface.168.g. network and internal interface is routed via the primary external interface. About IP Address Definitions Single or multiple IP addresses can be specified in a number of different manners: IP address – An identifier for a single network host. you can create a rule to send all SMTP traffic down a specific external interface.0 defines a subnet range of IP addresses from 192.10.10.g.0 to 192. no matter what interface is currently being used by the primary connection. e. any traffic specified here will not be subject to any load balancing. select Exception to create an exception rule to ensure that all outbound traffic from the specified source IP. 192. select it and click Edit to populate the configuration controls in the Add a new rule region with the rule's current configuration values.168. For example.0 to 192.10.0/24 defines a subnet range of IP addresses from 192.g. and click Add.255.168.168.168. 3 Comment Optionally. e.255.10.255 IP subnet [network prefix] – An arbitrary IP address and network mask in network prefix notation. e. select the external interface that is used by the specified source IP or network for external communication. Removing a Rule To remove one or more rules: 1 Select each rule in the Current rules area and click Remove. written as quartet of dotted decimal values. 192. Click Add.Smoothwall Advanced Firewall Administrator’s Guide Setting Description External interface From the drop-down menu. 43 . Note: Using Exception will always send traffic out via the primary.10. Editing a Rule To edit a rule: 1 Locate it within the Current rules region. 192.0/255. Note: If the external interface is set to Exception. Alternatively.255.10.168. For more information.

2 Configure the following settings: Setting Description Protocol From the drop down menu. Select Exception to never route the traffic via an alternative interface. Note: Using Exception will always send traffic out via the primary. 3 Comment Enter a description of the rule. Service From the drop down menu. Click Add to create the rule.Managing Your Network Infrastructure Ports Creating a Ports Rule Port rules route outbound traffic for selected ports through a particular external interface. make the changes you require and click Add. select the select the services. Enabled Select to enable the rule currently active. To create a ports rule: 1 Navigate to the Networking > Routing > Ports page. select the protocol the traffic uses. Editing a Rule To edit a rule: 1 Select the rule in the Current rules area and click Edit. port range or group of ports. Removing Rules To remove one or more rules: 1 Select each rule in the Current rules area and click Remove. 44 . no matter what interface is currently being used by the primary connection. The rule is created and listed in the Current rules area. enter the port number. External interface From the drop-down menu. Port If the service is user defined. select the external interface to use. 2 In the Add a new rule area. The rule is updated and listed in the Current rules area.

To create an external alias rule: 1 Navigate to the Networking > Interfaces > External aliases page. Netmask Used to specify the network mask of the external alias. 45 . This value should be provided by your ISP. select the external interface to which you want to bind an additional public IP address. irrespective of the currently active connection profile. Enabled Determines whether the external alias rule is currently active. An external alias binds an additional public IP address to Smoothwall System’s external interface. use Edit and Remove in the Current rules region. Options include: All – The external alias will always be active. Named connection profile – The external alias will only be active if the named connection profile is currently active. Select Click to select the interface. The external alias rule is added to the Current rules table. Click Add. Editing and Removing External Alias Rules To edit or remove existing external alias rules. This address should be provided by your ISP as part of an multiple static IP address allocation. This value is usually the same as the external interface's netmask value. 2 Configure the following settings: Setting Description External interface From the drop-down list. Comment A field used to assign a helpful message describing the external alias rule.Smoothwall Advanced Firewall Administrator’s Guide Creating an External Alias Rule Advanced Firewall enables you to associate multiple public IP addresses with a single Advanced Firewall by creating external aliases. This is particularly useful for creating aliases for connection profiles that are used as failover connections. Connectivity profile Used to determine when the external alias is active. 3 Alias IP Enter the IP address of the external alias.

0/255. select the external alias that outbound communication is mapped to. This is because the mail will not appear to originate from the correct IP address.255. No special configuration is required to use this feature. .100. leave the field blank.168. For a network of hosts. 2 Configure the following settings: Setting Description Source IP Enter the source IP or network of hosts to be mapped to an external. This problem can be alleviated by using a source mapping rule to ensure that the SMTP server uses the same IP address for inbound and outbound traffic. For a single host. To create a source mapping rule: 1 Navigate to the Networking > Firewall > Source mapping page. i.e. Creating a Source Mapping Rule Advanced Firewall enables you to map internal hosts to an external IP alias. This allows outbound communication from specified hosts to appear to originate from the external alias IP address. The source mapping rule is added to the Current rules table. real external IP. enter 192. Click Add.100.0 will create a source mapping rule for hosts in the IP address range 192. for example. If the incoming IP address is an external alias. by creating source mapping rules. For all hosts.100. instead of the default.255.1 through to 192.168. and outbound mail fails to mirror the IP address as its source.168. 3 46 Alias IP From the drop-down list. A common use for source mapping rules is to ensure that SMTP mail servers send and receive email via the same IP address. enter an appropriate IP address and subnet mask combination.Managing Your Network Infrastructure Creating a Source Mapping Rule Port Forwards from External Aliases Advanced Firewall extends your system’s port forwarding capabilities by allowing port forward rules to be created that can forward traffic arriving at an external alias. enter its IP address. the Advanced Firewall default external IP is not the MX for the email domain.255. some SMTP servers will reject the mail. Enabled Select to enable the rule. Use the existing Networking > Firewall > Port forwarding page and select the required external alias from the Source IP drop-down list. Comment Enter a description of the rule.

as there are a number of security implications and limitations that using this feature will impose on the rest of your network. Internal aliases can be used to create logical subnets amongst hosts within the same physical network zone. • No DHCP service – DHCP servers cannot serve a logical subnet. Note: This function is recommended only for experienced network administrators. Creating an Internal Alias Rule To create an internal alias rule: 1 Navigate to the Interfaces > Internal aliases page. • No direct DNS or proxy access – The DNS proxy and web proxy services cannot be accessed by hosts on a logical subnet. as it is impossible for it to know which subnet (physical or logical) that the client should be on. use Edit and Remove in the Current rules area. Generally. Managing Internal Aliases Advanced Firewall can be configured to create internal aliases for each installed NIC. Network users can join a logical subnet by changing their IP address. internal aliases should only be created in special circumstances. 47 . Internal alias rules are used to create such bindings on an internal network interface. Requests for such services must be routed via the IP address of the physical interface – this is not the case when an alias is in use. Note: Use of this feature is not normally recommended for the following reasons: • No physical separation – Internal aliases should not be considered as a substitute for physically separating multiple networks. Note: No services will run on the alias IP.Smoothwall Advanced Firewall Administrator’s Guide Editing and Removing Source Mapping Rules To edit or remove existing source mapping rules. thus enabling it to route packets to and from IP addresses on a virtual subnet – without the need for physical switches.

the system can be configured to selectively route different internal hosts. Once a secondary external interface is active. The internal alias rule is added to the Current rules table. Configuring a Secondary External Interface Note: It is not possible to perform L2TP or OpenVPN connections to secondary interfaces. Comment Enter a description of the rule. use Edit and Remove in the Current rules area. Editing and Removing Internal Alias Rules To edit or remove existing internal alias rules. A secondary external interface will operate independently of the primary external interface. 3 Netmask Enter a network mask that specifies the size of the subnet accessible via the internal alias (when combined with a network value). Enabled Select to enable the rule. ranges of hosts and subnets out across either the primary or secondary external interface. NATing its own outbound traffic. secondary external interface. Click Add.Managing Your Network Infrastructure Working with Secondary External Interfaces 2 Configure the following settings: Setting Description Interface From the drop-down menu. . Working with Secondary External Interfaces The Secondaries page is used to configure an additional. To configure a secondary external interface: 1 48 Navigate to the Networking > Interfaces > Secondaries page. select the internal interface on which to create the alias. IP address Enter an IP address for the internal alias.

Secondary failover ping IP Optionally. Enabled Select to enable the interface Primary failover Optionally. 49 . primary or secondary. all traffic will be sent out of the primary external connection.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Secondary external interface From the drop-down list. Selecting this option ensures that outbound NATed traffic is divided among the currently selected secondary address and any other connections. all outbound traffic will be redirected to the primary connection. Default gateway Enter the default gateway. select to add the currently selected secondary address to the load outgoing traffic balancing pool of connections. Selecting this option ensures that web proxy traffic is divided among the currently selected secondary address and any other connections. Load balance Optionally. If this IP address cannot be contacted. specify an additional IP address that you know can be contacted if the secondary connection is operating correctly. specify an IP address that you know can be contacted if the ping IP secondary connection is operating correctly. If this IP address and the primary failover ping IP cannot be contacted. it must also fail before failover routing is activated. Select Click to select the interface.If no load balance tick-box controls are selected. the IP address is pinged every two minutes over the secondary to ensure that the connection is active. the IP address is pinged every two minutes over the secondary to ensure that the connection is active. select to add the currently selected secondary address to the proxy load balancing pool. Load balance web proxy traffic Optionally. Note: If no load balance options are enabled. select the interface you want to use as the secondary external interface. Note . If a secondary failover IP has been entered. all traffic will be sent out of the primary external connection. When enabled. that have themselves been added to the proxy load balancing pool. primary or secondary. all outbound traffic will be redirected to the primary connection. When enabled. Address Enter the IP address. that have been added to the load balancing pool. Netmask Enter the netmask.

• A connection weighted 2 will be given twice as much load as a connection weighted 1. The weighting value is especially useful for load balancing external connections of differing speeds. • A connection weighted 6 will be given 3 times as much load as a connection weighted 2. For example: • A connection weighted 10 will be given 10 times as much load as a connection weighted 1.Managing Your Network Infrastructure Working with Secondary External Interfaces Setting Description Weighting Optionally. . A weighting is assigned to all external connections in the load balancing pool and load balancing is performed according to the respective weights of each connection. 3 50 Click Save to save your settings and enable the secondary external interface. select to set the weighting for load balancing on the currently selected secondary address.

To create an IP block rule: 1 Navigate to the Networking > Filtering > IP block page. or between certain parts of distinct networks. however. if an internal system has been infected by malware.Chapter 5 General Network Security Settings In this chapter: • Using IP blocking to block source IPs and networks • Reviewing network interface information • Fine-tuning network communications using the advanced networking features • Creating groups of ports for use throughout Advanced Firewall. IP block rules can also operate in an exception mode – allowing traffic from certain source IPs or network addresses to always be allowed. IP block rules are primarily intended to block hostile hosts from the external network. for example. Blocking by IP IP block rules can be created to block network traffic originating from certain source IPs or network addresses. 51 . it is sometimes useful to use this feature to block internal hosts. Creating IP Blocking Rules IP block rules block all traffic to/from certain network hosts.

10.0 or 192. IP range or subnet range of IP addresses to block or exempt.10. Exception Select to always allow the source IPs specified in the Source IP or Network field to communicate. and no communication will be possible.168.168.10.168.1.General Network Security Settings Configuring Advanced Networking Features 2 Configure the following settings: Control Description Source IP or network Enter the source IP. Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the same subnet. Comment Optionally.10.255.255.10.168. Such traffic is not routed via the firewall.0/255. describe the IP block rule.15. for example: 192. 52 .168. 3 Log Select to log all activity from this IP. use Edit and Remove in the Current rules area. enter its IP address. The rule is added to the Current rules table. The effect is similar to disconnecting the appropriate interface from the network. Editing and Removing IP Block Rules To edit or remove existing IP block rules.1-192.168.0/24.10. To block or exempt: • An individual network host. • A range of network hosts. for example: 192. Click Add. regardless of all other IP block rules. 192. Destination IP or Enter the destination IP. and another IP block rule creates exception IP addresses against it. for example. Enabled Select to enable the rule. IP range or subnet range of IP addresses to block or network exempt. • A subnet range of network hosts.255.10. and therefore cannot be blocked by it. enter an appropriate IP address range. 192. where one IP block rule drops traffic from a subnet range of IP addresses. enter its IP address.1. for example.168. enter an appropriate subnet range. Configuring Advanced Networking Features Advanced Firewall’s advanced networking settings can help prevent denial of service (DoS) attacks and enforce TCP/IP standards to restrict broken network devices from causing disruption. enter an appropriate subnet range. • A subnet range of network hosts.168.10.255.0 or 19 Drop packet Select to ignore any request from the source IP or network.15. • A range of network hosts. Reject packet Select to cause an ICMP Connection Refused message to be sent back to the originating IP.1-192. enter an appropriate IP address range. for example. for example: 192. To block or exempt: • An individual network host.10.0/255.168. for example: 192. Exception block rules are typically used in conjunction with other IP block rules.

If your logs contain a high volume of IGMP entries. enable this option to ignore IGMP packets without generating log entries. Generally.Smoothwall Advanced Firewall Administrator’s Guide To configure advance networking features: 1 Navigate to the Networking > Settings > Advanced page. 53 . SYN+FIN packets – Select to automatically discard packets used in SYN+FIN scans used passively scan systems. but this can also make connectivity problems more difficult to diagnose. the scan packets are automatically discarded and are not logged. This can prevent the effects of a broadcast ping-based DoS attack. IGMP packets – Select this option to block and ignore multi-cast reporting Internet Group Management Protocol (IGMP) packets. ICMP ping – Select to block all ICMP ping requests going to or through Advanced Firewall. This will effectively hide the machine from Internet Control Message Protocol (ICMP) pings.0 from ISPs and prevent them generating large volumes of spurious log entries.0. 2 Configure the following feature settings: Setting Description Block and ignore ICMP ping broadcasts – Select to prevent the system responding to broadcast ping messages from all network zones (including external). Multicast traffic – Select this option to block multicast messages on network address 224.0. With this option enabled. SYN+FIN scans result in large numbers of log entries being generated. IGMP packets are harmless and are most commonly observed when using cable modems to provide external connectivity.

select a bigger value. it requires communicating hosts to support it. In operation. the default size. The default value for this setting is usually adequate. this feature is disabled by default. and some routers are known to drop packets marked with the ECN bit. Window scaling – Select this option to enable TCP window scaling to improve the performance of TCP on high speed links. SYN packets. Directly connected machines are those which are not behind a intermediate router but are instead directly attached to one of Advanced Firewall's network interfaces. ARP table size You should increase the ARP table size if the number of directly connected machines or IP addresses is more then the value shown in the drop-down box. and traffic passing through the firewall. SYN backlog queue size Select this option to set the maximum number of requests which may be waiting in a queue to be answered. Connection tracking Select to store information about all connections known to the system. The use of SYN cookies is a standard defence mechanism against this type of attack. Occasionally. TCP timestamps – Select this option to enable TCP timestamps (RFC1323) to improve TCP performance on high speed links. but in very big networks. but increasing the value may reduce connection problems for an extremely busy proxy service. the default value of 2048 will be adequate. For this reason. a mechanism for avoiding network congestion. The value entered in this field determines the table’s maximum size. is insufficient – use this field to configure a larger size. ECN – Select this option to enable Explicit Congestion Notification (ECN). the table is automatically scaled to an appropriate size within this limit. A SYN flood attack is where a huge number of connection requests. which is set according to the amount of memory.General Network Security Settings Configuring Advanced Networking Features Setting Enable Description SYN cookies – Select to defend the system against SYN flood attacks. This option can be enabled if your network is experiencing ARP flux. While effective. 54 . are sent to a machine in the hope that it will be overwhelmed. In normal situations. Selective ACKs – Select this option to enable selective ACKs (RFC2018) to improve TCP performance when packet loss is high. ARP filter – Select this option to enable the ARP filter. the aim being to avoid a DoS attack. table size This includes NATed sessions. according to the number of active connections and their collective memory requirements.

Creating port groups significantly reduces the number of rules needed and makes rules more flexible. Working with Port Groups You can create and edit named groups of TCP/UDP ports for use throughout Advanced Firewall. 55 . Direct incoming traffic – Select to log all new connections to all interfaces that are destined for the firewall. In this way you could easily add a new service to all your DMZ servers. Forwarded traffic – Select to log all new connections passing through one interface to another. Drop all direct traffic Select any internal interfaces which have hosts on them that do not require on internal interfaces direct access to the system but do require access to other networks connected to Advanced Firewall.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Audit Traffic auditing is a means of recording extended traffic logs for the purpose of analyzing the different types of incoming. you can create a port group to make a single port forward to multiple ports and modify which ports are in the group without having to recreate the rules that use it. Note: It is possible that auditing traffic generates vast amounts of logging data. Direct outgoing traffic – Select to log all new connections from any interface. Traffic auditing logs are viewable on the Logs and reports > Logs > Firewall page. For example. 3 Click Save to enable the settings you have selected. Ensure that the quantity of logs generated is acceptable. outgoing and forwarded traffic.

create a separate entry for each port number. Name 56 Enter a name for the port or range of ports you want to add to the group.General Network Security Settings Working with Port Groups Creating a Port Group To create a port group: 1 Navigate to the Networking > Settings > Port groups page. . select the group you want to add a port to and click Select. Name Enter a name for the port or range of ports you want to add to the group. add a descriptive comment for the port or port range. separated by : for example: 1024:65535 For non-consecutive ports. enter the start and end numbers. Adding Ports to Existing Port Groups To add a new port: 1 Navigate to the Networking > Settings > Port groups page. enter the number. For one port. Port Enter the port number or numbers. Click Add. The port. 2 Configure the following settings: Setting Description Port groups From the drop-down list. 2 In the Port groups area. ports or port range is added to the group. click New and configure the following settings: Setting Description Group name Enter a name for the port group and click Save. For a range. Comment 3 Optionally.

The edited port. enter the start and end numbers. edit the port and click Add. Deleting a Port Group To delete a Port group: 1 Navigate to the Networking > Settings > Port groups page. enter the number. For one port. For a range. 3 In the Current ports area. select the group you want to edit and click Select. 2 From the Port groups drop-down list. 3 Click Delete. ports or range are added to the group. add a descriptive comment for the port or port range. 57 . 4 In the Add a new port. 2 From the Port groups drop-down list. select the port you want to change and click Edit. separated by : for example: 1024:65535 Comment 3 Optionally. Click Add. The port. ports or range is updated. select the group you want to delete and click Select. Editing Port Groups To edit a port group: 1 Navigate to the Networking > Settings > Port groups page. Note: Deleting a port group cannot be undone.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Port Enter the port number or numbers.

General Network Security Settings Working with Port Groups 58 .

59 .Chapter 6 Configuring Inter-Zone Security In this chapter: • How bridging rules allow access between internal network zones. It is possible to create a narrow bridge. e. a bi-directional. In general.g. Zone bridging is the process of modifying this. a range of hosts. make bridges as narrow as possible to prevent unnecessary or undesirable use. a range of hosts. using a named port and protocol. single-host to single-host bridge. any-host to any-host bridge. Source Defines whether the bridge is accessible from an individual host. or a wide or unrestricted bridge. About Zone Bridging Rules By default. Creating a Zone Bridging Rule Zone bridging rules enable communications between specific parts of separate internal networks. Service Defines what ports and services can be used across the bridge. a network or any hosts. using any port and protocol. e. a one-way. A zone bridging rule defines a bridge in the following terms: Term Description Zones Defines the two network zones between which the bridge exists. Destination Defines whether the bridge allows access to an individual host. a network or any host. in order to allow some kind of communication to take place between a pair of network zones. all internal network zones are isolated by Advanced Firewall. Direction Defines whether the bridge is accessible one-way or bi-directionally.g. Protocol Defines what protocol can be used across the bridge.

1. enter an IP address range. select a specific protocol to allow for communication between the zones or select All to allow all protocols. Protocol From the drop-down list. Note: To create a one-way bridge where communication can only be initiated from the source interface to the destination interface and not vice versa.255.168.168. • Any network host in the source network. • To create a bridge to any network host in the destination network.10. • A range of network hosts. Bidirectional Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface.10. enter its IP address.1-192. To create a bridge from: Destination IP 60 • A single network host. leave the field blank.10. enter a subnet range. • A range of network hosts.10. for example. To create a bridge to: • A single network. .0/255.168. IP range or subnet range to which access is permitted. enter its IP address. IP range or subnet range from which access is permitted. enter an appropriate subnet range.255.0/24. for example: 192. 192.0/255. enter an appropriate IP address range: for example.1-192.10.10. 192.168. • A subnet range of network hosts.15.255.0 or 192. Destination interface From the drop-down menu. select the destination network zone. for example: 192.168.0 or 192.15. • A subnet range of network hosts. for example. Source IP Enter the source IP.Configuring Inter-Zone Security Creating a Zone Bridging Rule To create a zone bridging rule: 1 Navigate to the Networking > Filtering > Zone bridging page.168.168.168. leave the field blank.168.10. Enter the destination IP. select the source network zone.1. for example: 192.10.0/24.10.255.168.10. ensure that this option is not selected. 192. 2 Configure the following settings: Setting Description Source interface From the drop-down menu.

specify the port number. we will use the following two local network zones: Network zone Description IP address Protected network Contains local user workstations and confidential business data. 3 Comment Enter a description of the bridging rule. leave the field blank to permit access to all ports for the relevant protocol. select the protected network.168. A single zone bridging rule will satisfy the bridging requirements.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Service From the drop-down list. In this example. Editing and Removing Zone Bridge Rules To edit or remove existing zone bridging rules. select All. • Allows unrestricted access to the DMZ from the protected network.168. • Does not allow access to the protected network from the DMZ.200.0/24 DMZ Contains a web server. 192. Note: This is only applicable to TCP and UDP. select the services. we will create a DMZ that: • Allows restricted external access to a web server in the DMZ. port range or group of ports to which access is permitted. Click Add. Enabled Select to enable the rule. select the DMZ. Destination interface From the drop-down menu. Port If User defined is selected as the destination port. Protocol From the drop-down list. from the Internet. neither zone can see or communicate with the other. A Zone Bridging Tutorial In this tutorial. The rule is added to the Current rules table.100. 61 . use Edit and Remove in the Current rules area. 192. Or. select User defined and leave the Port field blank to permit access to all ports for the relevant protocol. Or. while a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ. Creating the Zone Bridging Rule To create the rule: 1 Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: Settings Description Source interface From the drop-down menu.0/24 Note: The DMZ network zone is a DMZ in name alone – until appropriate bridging rules are created.

select HTTP (80) to forward HTTP requests to the web server. Comment Enter a description. Hosts in the protected network will now be able to access any host or service in the DMZ. Enabled Select to activate the bridging rule once it has been added.200. Enabled Select to activate the port forward rule once it has been added.168. Protocol From the drop-down menu. select TCP.100.168. Source IP Enter the web server’s IP address: 192.168. Source From the drop-down menu. select TCP.Configuring Inter-Zone Security A Zone Bridging Tutorial 2 Settings Description Comment Enter a description of the rule.10. Enabled Select Enabled to activate the bridging rule once the bridging rule has been added. Click Add. select Protected Network. To create the rule: 1 Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: Setting Description Source interface From the drop-down menu. Port The database service is accessed on port 3306. a further requirement might be to allow the web server in the DMZ to communicate with a confidential database in the Protected Network. select DMZ. Click Add. Allowing Access to the Web Server To allow access to a web server in the DMZ from the Internet: 1 2 Navigate to the Networking > Firewall > Port forwarding page and configure the following settings: Setting Description Protocol From the drop-down list. Click Add. Comment Enter a comment: DMZ web server to Protected Network DB. but not vice versa. . such as Port forward to DMZ web server. 2 62 Destination interface From the drop-down menu. Enter 3306. Accessing a Database on the Protected Network Multiple zone bridging rules can be used to further extend the communication allowed between the zones.200.50 Service Select User defined. Destination IP Enter the IP address of the web server 192.10 Destination IP Enter the database’s IP address: 192. As a extension to the previous example.

Like zone bridges. or that are allowed by any active zone bridging rules. IP ranges. subnets and ports within a specified network zone. For further information about authentication. a subnet of hosts or any hosts. meaning that users must be preauthenticated before group bridging rules can be enforced by Advanced Firewall. In general. authenticated users may only access network resources within their current network zone. Authenticated groups of users can be bridged to a particular network by creating group bridging rules. 63 .Smoothwall Advanced Firewall Administrator’s Guide Group Bridging By default. using a named port and protocol) or wide (e. either automatically when they try to initiate outbound web access or manually by browsing to the secure SSL Login page. Destination – Defines whether the bridge allows access to an individual host. in order to allow authenticated users from any network zone to access specific IP addresses. allow access to any host. Authentication can also be provided by any other mechanism used elsewhere in the system. Creating Group Bridging Rules Group bridging rules apply additional zone communication rules to authenticated users. group bridges can be narrow (e. Protocol – Defines what protocol can be used across the bridge. Zone – The destination network zone.g. Group bridging is the process of modifying this default security policy.g. see Chapter 10. a range of hosts. A group bridging rule defines a bridge in the following terms: Group – The group of users from the authentication sub-system that may access the bridge. Group Bridging and Authentication Group bridging uses the core authentication mechanism. bridges should be made as narrow as possible to prevent unnecessary or undesirable use. using any port and protocol). Service – Defines what ports and services can be used across the bridge. allow access to a single host. Authentication and User Management on page 193. Users can authenticate themselves using the authentication system’s Login mechanism.

1-192. Comment Enter a description of the rule. To allow any service or port to be used. The rule is added to the Current rules table.168. Destination IP Enter the destination IP. enter an appropriate IP address range. select a specific protocol to allow for communication between the zones or select All to allow all protocols. 3 64 Port If applicable.10.10. select the group of users that this rule will apply to. for example: 192. Protocol From the drop-down list.10. To restrict to a custom port. Service From the drop-down list. select the service. Click Add. To create a rule to allow access to: • A single network host in the destination network.15.10. If this field is blank.255.255. enter a destination port or range of ports. . enter an appropriate subnet range.168. 2 Configure the following settings: Setting Description Groups From the drop-down menu. for example: 192.1. port or port range to be used. for example: 192. all ports for the relevant protocol will be permitted. Enabled Select to enable the rule. Select Click to select the group.168.168. • Any network host in the destination network. leave the field blank. • A subnet range of network hosts in the destination network. enter its IP address. select User defined and leave the Port field empty.10.168. select User defined and enter a port number in the Port field.0 or 192.Configuring Inter-Zone Security Group Bridging To create a group bridging rule: 1 Navigate to the Networking > Filtering > Group bridging page. Destination interface Select the interface that the group will be permitted to access. • A range of network hosts in the destination network. IP range or subnet range that the group will be permitted to access.0/ 255.0/24.

Smoothwall Advanced Firewall Administrator’s Guide Editing and Removing Group Bridges To edit or remove existing group bridging rules. use the Edit and Remove buttons in the Current rules region. 65 .

Configuring Inter-Zone Security Group Bridging 66 .

you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a De-Militarized Zone (DMZ). you can create a port forward rule to forward all port 80 TCP traffic to port 81 on 192.168. IP address range or subnet range.60. Destination port A port forward will send traffic to a specific destination port.2. regardless of whether the external interface connects to the Internet or some other external network zone. If the web server has an IP address of 192. Introduction to Port Forwards – Inbound Security Port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone. Source IP Forward traffic if it arrived at a particular external interface or external alias. Protocol Forward traffic if it uses a particular protocol.Chapter 7 Managing Inbound and Outbound Traffic In this chapter: • How port forward rules work • Application helpers which allow traffic passing through the firewall to work correctly • How to manage outbound access to IP addresses and networks. port forwards can be used to forward any type of traffic that arrives at an external interface. 67 .2. however.168. For example. It is common to think of such requests arriving from hosts on the Internet.60. Destination IP A port forward will send traffic to a specific destination IP. Port Forward traffic if it was destined for a particular port or range of ports. Port Forward Rules Criteria Port forward rules can be configured to forward traffic based on the following criteria: Criterion Description External IP Forward traffic if it originated from a particular IP address.

we recommend that all port forwards are directed towards hosts in isolated network zones. Use the Networking > Filtering > Zone bridging page to ensure that the target host of the port forward is contained within a suitably isolated network. Any network is only as secure as the services exposed upon it.e. they may gain access to other hosts in the network. to create a port forward rule that will forward all external hosts (such as that required to port forward anonymous HTTP requests from any network host to a web server). For example. address range or subnet range of the external hosts allowed to use this rule. Port forwards allow unknown hosts from the external network to access a particular internal host. By default. if you have a secondary external connection you can assign a port forward explicitly to it.Managing Inbound and Outbound Traffic Introduction to Port Forwards – Inbound Security Note: It is important to consider the security implications of each new port forward rule. Creating Port Forward Rules To create a port forward rule: 1 Navigate to the Networking > Firewall > Port forwarding page. However. Select Click to select the external interface specified. For this reason. a port forward is bound to the primary external connection. select the interface that the port forward will be bound to. leave this field blank. select the network protocol for the traffic that you want to forward. which is a TCP-based protocol. If a cracker manages to break into a host that they have been forwarded to. 2 Configure the following settings: Setting Description External interface From the drop-down menu. that preferably contain no confidential or security-sensitive network hosts. a DMZ scenario. i. Or. choose the TCP option. External IP or network Enter the IP address. Protocol From the drop-down list. to port forward a HTTP request. 68 .

Or. The port forward rule is added to the Current rules table. Advanced Firewall automatically balances the traffic between the hosts. select the service. how you can manage bad traffic actions. select the service. port range or group of ports. reflective port forwarding and connectivity failback. IPS Select to deploy intrusion prevention. Or. User defined If User defined is selected in the Source service drop-down menu. port. Enabled Select to enable the rule. See Chapter 8. this will be the IP of the default external connection. Advanced Network and Firewall Settings The following sections explain network application helpers. 3 Comment Enter a description of the port forward rule. enter a single port or port range. 2 On the Networking > Firewall > Port forwarding page. enter a destination port. Editing and Removing Port Forward Rules To edit or remove existing port forward rules. Source IP Select the external IP alias that this rule will apply to. to specify a user defined port. See Creating Port Forward Rules on page 68 for more information. port range or group of ports. If left blank and the source service value specified a port range. 69 . Port ranges are specified using an A:B notation. Load Balancing Port Forwarded Traffic Advanced Firewall enables you to load balance port forwarded traffic to different network hosts. In most cases. If it contains a single port. select User defined. Note: Only applies to the protocols TCP and UDP.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Log Select to log all port forwarded traffic. Source service From the drop-down menu. create a port forward rule to the first network host. Destination service From the drop-down menu. the destination port will be the same as the port that the connection came in on. create another port forward rule using exactly the same settings except for the destination IP to the second network host. Destination IP Enter the IP address of the network host to which traffic should be forwarded. User defined If User defined is selected as the destination service. use Edit and Remove in the Current rules area. then this will be used as the target. port. select User defined. Deploying Intrusion Prevention Policies on page 115 for more information. Leave this field empty to create a port forward that uses the source port as the destination port. Click Add. To load balance port forwards: 1 On the Networking > Firewall > Port forwarding page. For example: 1000:1028 covers the range of ports from 1000 to 1028.

a common protocol used in Voice over IP (VoIP) applications. it is not possible to forward PPTP traffic. it is possible to receive incoming H323 calls through the use of a port forward on the H323 port. this application helper should be used. We recommend that you only enable this feature if you require VoIP functionality. To enable helper applications: 1 Navigate to the Networking > Firewall > Advanced page. Note: When this application helper is enabled. loads special software modules to help PPTP clients. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. loads modules to enable passthrough of H323. This is the PPTP client protocol used in standard Windows VPNing. In this case. this option is not enabled by default. it is still possible for PPTP clients to connect through to a server on the outside.Managing Inbound and Outbound Traffic Advanced Network and Firewall Settings Network Application Helpers Advanced Firewall includes a number of helper applications which must be enabled to allow certain types of traffic passing through the firewall to work correctly. IRC IP information is embedded within IRC traffic – this helper application ensures that IRC communication is not adversely affected by the firewall. Additionally. Without this option enabled. This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. support If this option is not selected. but not in all circumstances. The following helper applications are available: Application Description FTP IP information is embedded within FTP traffic – this helper application ensures that FTP active mode client connections are not adversely affected by the firewall. H323 When enabled. Advanced When enabled. 70 . it will not be possible to make VoIP calls. with this option enabled. For this reason.

71 . Managing Bad External Traffic By default. This runs Advanced Firewall in a stealth-like manner and makes things like port scans much harder to do. you can drop traffic silently which enables you to ‘stealth’ your firewall and make things like port scans much harder to do. Configuring Connectivity Failback The following section explains how to configure Advanced Firewall to revert to a specific connectivity profile after reboot if its primary connectivity profile has failed. This makes it possible to access a port forwarded service from inside the internal network using the same (external) address as an external host would. select Drop to silently discard the traffic and not send a message to the sender. Configuring Reflective Port Forwards By default. Managing Connectivity Failback The following sections explain how to configure failback and automatic failback for connectivity profiles. 3 Click Save changes. To configure connectivity failback: 1 On the Networking > Firewall > Advanced page. To configure reflective port forwards: 1 Navigate to the Networking > Firewall > Advanced page. the reflective port forwards option allows port forwards originating on an internal network to reach a host on the same network. However. To manage bad external traffic: 1 Navigate to the Networking > Firewall > Advanced page. Using the Bad external traffic action option. 2 From the Bad external traffic drop-down list. go to the Connectivity Failback area. select Drop to drop traffic silently. or Reject to reject the traffic and notify the sender. 2 Enable Reflective port forwards and click Save changes. port forwards are not accessible from within the same network where the destination of the forward resides. see Chapter 3. 3 Click Save changes to implement your selection. when enabled. in the Advanced area. For more information on connectivity profiles. 2 From the Connectivity failback profile drop-down menu. select the application(s) you require. 2 Optionally. bad traffic is rejected and a ‘No one here’ ICMP message is bounced back to the sender. Connecting Using a Static Ethernet Connectivity Profile on page 20. 3 Click Save changes.Smoothwall Advanced Firewall Administrator’s Guide To enable a helper application: 1 In the Network application helpers area. Advanced Firewall applies and saves the changes. This is what Internet hosts are meant to do. select the profile to use after reboot if the primary connectivity profile has failed.

72 Reject known exploits Reject outbound access on the listed ports which are associated with many common exploits against programs and services. see Managing Blocked Services on page 74. For more information on outbound access rules. the following port rules are predefined: Predefined port rules Description Allow all Allow unrestricted outbound access to the Internet. . Reject all with logging Reject all outbound access to the Internet except for listed ports and log the rejections. For more information. Advanced Firewall applies and saves the changes. Currently. customizable port rules which allow or reject network traffic or specific services access on certain ports. Predefined Port Rules Advanced Firewall contains a number of predefined. Reject all Reject all outbound access to the Internet except for listed ports. Advanced Firewall automatically attempts to revert to the connectivity failback profile specified in the Connectivity Failback area daily. Working with Port Rules Port rules are used when creating outbound access rules which determine how outbound network traffic and services are managed. Allow email services Allow email services on listed ports. go to the Connectivity Failback area. Working with Outbound Access Policies on page 76. This is attempted once a day. Managing Outbound Traffic and Services The following sections discuss port and access rules which are used to control outbound network traffic and services. Allow basic services Allow services common to most user computers. including web browsing (HTTP and HTTPS) and DNS on listed ports. Reject all P2P Reject all peer to peer outbound access to the Internet on listed ports. 2 Enable Automatic failback and click Save changes. To configure automatic failback: 1 On the Networking > Firewall > Advanced page.Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services Configuring Automatic Failback It is possible to configure Advanced Firewall to enable automatic failback. Reject MS ports Reject outbound access on the listed ports which are associated with Microsoft Windows local area networking. When enabled.

Allow only listed ports – Allow outbound access on listed ports but reject on all other ports. The following dialog box opens. Action Select one of the following actions: Reject only listed ports – Reject outbound access on listed ports but allow on all other ports. 2 Click Add new port rule. To create a port rule: 1 Navigate to the Networking > Outgoing > Ports page.Smoothwall Advanced Firewall Administrator’s Guide Creating a Port Rule It is possible to create a custom port rule. 3 Configure the following settings: Setting Description Name Enter a name for the port rule. 73 . This name will be displayed where ever the rule can be selected.

Protocol From the drop-down menu. port range or group of ports you want to allow or deny access to. 6 Configure the following settings: Setting Description Status Select to enable the rule. Note: Some services use unpredictable port numbers to evade port-based outbound access rules. select the network protocol to add to the port. • Enter a custom port number or range of ports if User defined is selected in the Service drop-down list. select the port. . Advanced Firewall adds the port rule to the Port rules list. Click Add. Click Add. Stealth mode 4 Select if you want to log but not reject outbound requests. see Managing Blocked Services on page 74 5 Click Add new port/service. Note: This generates a lot of data and should be used with care. The port is added to the port rule. Enter a description of the port. Managing Blocked Services Advanced Firewall is able to detect and block service activity such as Skype and BitTorrent using deep packet inspection. see. The following dialog box opens. To control access to these services.Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services Setting Description Rejection logging Select if you want to log outbound requests rejected by this rule. for example: 1024:2048. Destination port Select one of the following: Comment 7 • Any – Any destination port. To configure blocking services: 1 74 On the Networking > Outgoing > Ports page. The ports/services in the rule are displayed. A port range is specified using from:to notation. Click the rule’s content arrow. • From the drop-down menu. locate the port rule for which you want to configure services.

point to the rule and select Delete. make any changes required. 75 .Smoothwall Advanced Firewall Administrator’s Guide 2 Click the rule’s content arrow. In the Edit port/service dialog box. 3 Click Save changes to apply the changes and close the dialog box. make any changes required. 3 Point to Blocked services and click Edit. point to the port rule and select Edit. 3 Click Save changes to apply the changes and close the dialog box. 2 In the Edit port rule dialog box. Contact your Smoothwall representative for more information 5 Click Save to save the settings and close the dialog box. Note: The types of services available depend on what Deep Packet Inspection licensing you have purchased. When prompted. 2 Point to the port/service and click Edit. The following dialog box opens. Deleting a Port Rule To delete a port rule: 1 On the Networking > Outgoing > Ports page. click Delete to confirm that you want to delete the rule and its contents. click the rule’s content arrow. Editing a Port Rule’s Contents To edit the contents of a port rule: 1 On the Networking > Outgoing > Ports page. 4 Select the services you want to block. Editing a Port Rule To edit a port rule: 1 On the Networking > Outgoing > Ports page. The ports/services contained in the rule are displayed. The ports/services contained in the rule are displayed. See Creating a Port Rule on page 73 for information on the settings available. See Creating a Port Rule on page 73 for information on the settings available. Advanced Firewall applies the settings and starts blocking the services selected.

Note: Once traffic matches a policy. Port rule From the drop-down menu. To assign a policy to a group of users: 1 Navigate to the Networking > Outgoing > Policies page. Advanced Firewall does not apply any further policy matching. The policy is added to the list of groups. select which port rule to use in the outbound access policy. see Working with Port Rules on page 72. Creating Outbound Access Policies for Groups The Groups section is used to assign outbound access policies to traffic or services from users in an authenticated groups of users. Advanced Firewall contains a default outbound access policy which uses the Allow all port rule and allows unrestricted outbound access to the Internet. or • the source and/or destination of the traffic. select the group to which the outbound access policy applies. Advanced Firewall does not apply any further policy matching. Comment Enter a description for the policy. 76 . 3 Configure the following settings: Setting Description Status Select Enabled to enable the policy. or by dragging it to the correct position and clicking Save moves.Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services Working with Outbound Access Policies Advanced Firewall enables you to create policies which determine outbound access for network traffic and services depending on: • the group(s) an authenticated user belongs to. If the outbound network traffic or service does not match any policy. By default. the Default policy is applied. The following dialog box opens. Group From the drop-down menu. For more information on port rules. You can reorder outbound access policies to suit your requirements. 4 Click Add. Note: Once the network traffic matches a policy. 5 Place the policy where it is required by selecting it and using Up or Down. 2 Click Add new policy.

y) or a subnet (x.x/y).x. Name Enter a name for the policy.x/y). 3 In the Add new policy dialog box. a range (x. a range (x. Creating Outbound Access Policies for Traffic from Sources and/or Destinations When the source and/or destination IP addresses of outbound traffic match a policy in the Sources and Destination addresses. • A single source IP address. If a user has not actively authenticated themselves.x. see Working with Port Rules on page 72. configure the following settings: Setting Description Status Select to enable the policy. Advanced Firewall checks that the traffic does not break the port rule(s) assigned to that source and/or destination.y.x. select the port rule to apply. Port rule From the drop-down list. 2 Click Add new Policy.y. Destination • Any – Any source IP address. Source Configure one of the following to apply the policy to. Configure one of the following to apply the policy to.x.x-y. the user is unknown to the system and a policy cannot be applied. using the SSL Login page or by some other authentication method.y.x-y.x.x.Smoothwall Advanced Firewall Administrator’s Guide Note: Group policies cannot be enforced in all circumstances. Group policies are often more suitable for allowing access to ports and services. In such situations. • Any – Any destination IP address. • A single destination IP address.x. To create a policy: 1 Browse to the Networking > Outgoing > Policies page. Comment Enter a description for the policy.x. For more information. users have a reason to pro-actively authenticate themselves so that they can gain access to an outbound port or service.y) or a subnet (x.y. 77 .

Port If User defined is selected in the Service drop-down menu. Managing External Services Note: The External services page has been superseded by the functionality on the Networking > Outgoing > Policies page and has been deprecated. To create an external service rule: 1 Navigate to the Networking > Outgoing > External services page and configure the following settings: Setting Description Service Select Empty from the drop-down list. Service From the drop-down menu. Advanced Firewall does not apply any further policy matching. See Creating Outbound Access Policies for Traffic from Sources and/or Destinations on page 77 for information on the settings available. Service rule name Enter a name for the rule. select User defined. 2 In the Edit policy dialog box.Managing Inbound and Outbound Traffic Managing External Services 4 Click Add. make any changes required. 3 Click Save changes to apply the changes and close the dialog box. click Delete to confirm that you want to delete the policy. In the Add a new rule area: Setting Description Destination IP Enter the IP address of the external service to which the rule applies. point to the rule and select Edit. select the service. When prompted. enter a single port or port range. Click Save. . point to the rule and select Delete. Or. 5 Place the policy where it is required by selecting it and using Up or Down. to specify a user defined port. Editing a Policy To edit a policy: 1 On the Networking > Outgoing > Policies page. It will be removed in a future Advanced Firewall update. or by dragging the rule to the correct position and clicking Save moves. Protocol Select the protocol used by the service. Port ranges are specified using an A:B notation. port range or group of ports. 2 78 Rejection logging Select to log all traffic rejected by the external services rule Stealth mode Select to allow traffic that would normally be rejected by the external services rule and log all traffic in the firewall logs. port. For example: 1000:1028 covers the range of ports from 1000 to 1028. Deleting a Policy To delete a policy: 1 On the Networking > Outgoing > Policies page. The policy is added to the list of sources and destinations. You can prevent local network hosts from using external services by creating appropriate policies to stop outbound traffic. Note: Once traffic matches a policy.

The external service rule is added to the Current rules region: Editing and Removing External Service Rules To edit or remove existing external service rules. use Edit and Remove in the Current rules area.Smoothwall Advanced Firewall Administrator’s Guide 3 Setting Description Comment Enter a description of the rule. Enabled Select to enable the rule. 79 . Click Add.

Managing Inbound and Outbound Traffic Managing External Services 80 .

Creating a Portal The following section explains how to create a portal and make it accessible to users in a specific group. Working with Portals Advanced Firewall enables you to create portals which can be configured to make reports and software downloads available and enable users with the correct privileges to ban other users or locations from web browsing.Chapter 8 Advanced Firewall Services In this chapter: • Working with portals • Managing the Web Proxy Service on page 87 • Instant Messenger Proxying on page 93 • Monitoring SSL-encrypted Chats on page 96 • SIP Proxying on page 96 • FTP Proxying on page 99 • Reverse Proxy Service on page 102 • SNMP on page 104 • DNS on page 105 • Censoring Message Content on page 109 • Managing the Intrusion System on page 114 • DHCP on page 119 For information on authentication services. Authentication and User Management on page 193. see Chapter 10. 81 . see the Advanced Firewall Portal User’s Guide. For information on using a portal.

enter a name for the portal and click Save. Advanced Firewall creates the portal and makes it accessible on your Advanced Firewall system at.141/portal/ 3 Browse to the Services > User portal > Groups page.168. 2 In the Portals area. 82 .72.Advanced Firewall Services Working with Portals To create a user portal and make it available to users: 1 Browse to the Services > User portal > Portals page. for example: http:// 192.

configure the following settings: Setting Description Enabled Select Enabled. 5 Browse to the Services > User portal > Portals page and. It also enables them to request that content reported by the tool as blocked be unblocked by Advanced Firewall’s system administrator. Using the Policy Tester on page 58. Advanced Firewall authorizes the group to use the portal. For more information. see Chapter 10. The next step is to configure the portal to enable authorized users to use it to download files. in the Portals area. Top reports displayed on portal home page From the drop-down list. enable the policy tester. download VPN client files and receive a custom welcome message. select the group containing the users you want to authorize to use the portal. select the portal on which you want to make reports available and click Select. select the portal you want the group to access. locate the report you want to publish on a portal. see Chapter 5. Portal From the drop-down menu. 2 On the Permissions tab. select the number of reports you want to display on the portal’s home page. In the Portal published reports and templates area. Managing Groups of Users on page 216. click Portal Access. manage web access and display reports. Advanced Firewall will display the most often viewed reports. A dialog box containing report details opens. select the portal where you want to publish the report and click Add.Smoothwall Advanced Firewall Administrator’s Guide 4 5 Configure the following settings: Setting Description Group From the drop-down menu. 3 From the Add access drop-down list. For more information on users and groups. Making Reports Available To make reports available on a portal: 1 Browse to the Logs and reports > Reports > Reports page. Enabling the Policy Tester The policy tester enables portal users to test if a URL is accessible to a user at a specific location and time. block other users from accessing the web. configure the following settings: 6 Setting Description Portals From the drop-down list. 7 Browse to the bottom of the page and click Save to save the settings and make the reports available on the portal. 4 Click Close to close the dialog box. 83 . Click Add. Configuring a Portal The following sections explain how to configure a Advanced Firewall portal so that authorized users can view reports.

in the Portals area. . Enabling Groups to Block Location-based Web Access You can enable users in a specific group which can access a Advanced Firewall portal to block specific locations from accessing the other networks or external connections. select the group(s) containing the users that the group is authorized to block from accessing the web. Working with Location Objects on page 39. Enabling Groups to Block Users’ Access You can enable users in a specific group which can access the portal to block individual user web access. 3 Browse to the bottom of the page and click Save to save the settings. Allow unblock requests Select to allow portal users to send an unblock request to Advanced Firewall’s system administrator. In the Portal permissions for web access blocking. To authorize blocking: 1 2 Browse to the Services > User portal > Portals page and. see Chapter 5. Browse to the bottom of the page and click Save to save the settings. For information on locations. Allow control of groups Select this option and. select the portal on which you want to enable groups to block users. To select consecutively listed groups. To select non-consecutively listed groups. in the list of groups displayed. in the Portals area. configure the following settings: Setting Description Portals From the drop-down list. hold down the Ctrl key while selecting. Administrator's email address Enter the email address to send the unblock request to. configure the following settings: Setting Description Enabled Select Enabled. configure the following settings: Setting Description Portals From the drop-down list. To enable a group to block users: 1 2 84 Browse to the Services > User portal > Portals page and. In the Portal permissions for web access blocking.Advanced Firewall Services Working with Portals To enable the policy tester: 1 2 Browse to the Services > User portal > Portals page and configure the following setting: Setting Description Policy tester Select Enabled. select the portal on which you want to authorize groups to block users. configure the following settings: Setting Description Enabled Select Enabled. hold down the Shift key while selecting.

configure the following settings: Setting Description Welcome message Select to display the message on the portal. Advanced Firewall will allow members of the group to access the specified portal. for example regarding acceptable usage of the portal. 85 . select SSL VPN client archive download. To select non-consecutively listed locations. Making User Exceptions You can configure Advanced Firewall so that a user uses a specific portal. To make the archive available: 1 In the VPN connection details area. see Chapter 10. See Chapter 9. hold down the Ctrl key while selecting. Virtual Private Networking on page 127 for information on how to create the archive. To display a welcome message on a portal: 1 Browse to the Services > User portal > Portals page and. For more information on groups. To select consecutively listed locations. To assign a group to a portal: 1 Browse to the Services > User portal > Groups page. 2 Configure the following settings: 3 Setting Description Group From the drop-down menu. select the location(s) that the group is authorized to block from accessing the web. select the portal you want the group to access. Click Add. Making the SSL VPN Client Archive Available You can configure Advanced Firewall portals to make an SSL VPN client archive available for download on the portal. enter a welcome message and/or any information you wish the user to have. This setting overrides group settings. In the text box. hold down the Shift key while selecting. Portal From the drop-down menu. 3 Browse to the bottom of the page and click Save to save the settings. in the Welcome message area.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Allow control of locations Select this option and. Assigning Groups to Portals The following section explains how to assign a group of users to a portal so that they can access it. 2 Browse to the bottom of the page and click Save to save the settings. Managing Groups of Users on page 216. select the group you want to allow access to the portal. Configuring a Welcome Message Advanced Firewall enable you to display a customized welcome message when a user visits a portal. 2 Browse to the bottom of the page and click Save to save the settings. in the list of locations displayed.

see the Advanced Firewall Portal User Guide. 2 Configure the following settings: 3 Setting Description Username Enter the username of the user you want to access the portal. To access a portal: 1 In the browser of your choice. Advanced Firewall displays the login page for the portal. 3 Enter a valid username and password and click Login. Click Add. select the portal you want the user to access. 86 . 4 Click Save to save the changes.Advanced Firewall Services Working with Portals To make user exceptions on a portal: 1 Browse to the Services > User portal > User exceptions page.168.141/portal/ 2 Accept any certificate and other security information. To edit a portal: 1 Browse to the Services > User portal > Portals page. enter the URL to the portal on your Advanced Firewall system. Advanced Firewall gives the user access to the portal. Portal From the drop-down list. see Configuring a Portal on page 83 for information on the settings available. 3 Make the changes you require. 2 From the Portals drop-down list. Editing Portals The following section explains how to edit a portal. Deleting Portals The following section explains how to delete a portal. for example: http://192. select the portal you want to edit. Accessing Portals The following section explains how to access a portal.72. The portal is displayed. For more information.

Smoothwall Advanced Firewall Administrator’s Guide To delete a portal: 1 Browse to the Services > User portal > Portals page 2 From the Portals drop-down list. 87 . select the portal you want to delete. Managing the Web Proxy Service Advanced Firewall’s web proxy service provides local network hosts with controlled access to the Internet with the following features: • Transparent or non-transparent operation • Caching controls for improved resource access times • Support for automatic configuration scripts • Support for remote proxy servers. Advanced Firewall deletes the portal. 3 Click Delete.

Advanced Firewall Services Managing the Web Proxy Service Configuring and Enabling the Web Proxy Service To configure and enable the web proxy service: 1 88 Navigate to the Services > Proxies > Web proxy page. .

to allocate to the web proxy service for caching web content. or accept the default value. but may not be entirely beneficial and can adversely affect page access times. This can be useful for preventing large numbers of tiny objects filling the cache. HTTPS requests and pages including username and password information are not cached. The default is no minimum – this should be suitable for most purposes. in MBytes. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. Remote proxy username Enter the remote proxy username if using a remote proxy with user authentication. up to a maximum of around 10 gigabytes – approximately 10000 megabytes for a high performance system with storage capacity in excess of 25 gigabytes. Min object size Specify the smallest object size that will be stored in the proxy cache. Objects smaller than the specified size will not be cached. Remote proxy password Enter the remote proxy password when using a remote proxy with user authentication. The specified size must not exceed the amount of free disk space available. Objects larger than the specified size will not be cached. Max object size Specify the largest object size that will be stored in the proxy cache. The default is no limit. The default is no limit. The cache size should be configured to an approximate size of around 40% of the system’s total storage capacity. the cache can dramatically improve access to recently visited pages. For slower external connections such as dial-up. Remote proxy Optionally. 89 . This limit is independent of whether the data is cached or not. Larger organizations may wish to use a dedicated proxy or sometimes ISPs offer remote proxy servers to their subscribers. This can be used to prevent excessive and disruptive download activity. This prevents large downloads filling the cache. Max incoming size Specify the maximum amount of inbound data that can be received by a browser in any one request. Larger cache sizes can be specified. Used to configure the web proxy to operate in conjunction with a remote web proxy. This can be used to prevent large uploads or form submissions. enter the IP address of a remote proxy in the following format: hostname:port In most scenarios this field will be left blank and no remote proxy will be used.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Control Description Cache size Enter the amount of disk space. Max outgoing size Specify the maximum amount of outbound data that can be sent by a browser in any one request. The default of 4096 K bytes (4 M bytes) should be adjusted to a value suitable for the needs of the proxy end-users. Web and FTP requests are cached.

Banned local IP addresses Enter any IP addresses on the local network that are completely banned from using the web proxy service. see About Web Proxy Methods on page 91. In nontransparent mode. Exception local IP addresses are typically used to grant administrator workstations completely unrestricted Internet access. through the proxy. Proxy Select to allow users to access the web proxy service according to the username authentication and password that they enter when prompted by their web browser. No user Select to allow users to globally access the web proxy service without authentication authentication. Note: You can only use proxy authentication if the proxy is operating in nontransparent mode.Advanced Firewall Services Managing the Web Proxy Service Control Description Transparent Select to enable transparent proxying. 90 . Enabled Select to enable the web proxy service. or other non-standard HTTP and HTTPS services. it is possible to partially bypass the admin access rules on the System > Administration > Admin options page. Exception local IP addresses Enter any IP addresses on the local network that should be completely exempt from authentication restrictions. Enter domain names without the www. For more information. Disable proxy logging Select to disable the proxy logging. In normal circumstances such communication would be prevented. This can be used to prevent network hosts from browsing without using the proxy server. When operating in transparent mode. the user’s status is returned by the authentication system as unauthenticated. This would allow internal network hosts to access the admin logon prompt via the proxy. All requests are automatically redirected through the cache. network hosts and users do not need to configure their web browsers to use the web proxy. Do not cache Enter any domains that should not be web cached. If any hosts contained in this list try to access the web they will receive an error page stating that they are banned. prefix. web proxy Proxy access permissions are only applied if an authentication method other than No user authentication has been selected. Core Select to allow users to access the web proxy service by asking the authentication authentication system whether there is a known user at a particular IP address. The username and password details are encoded in all future page requests made by the user's browser software. one entry per line. Note: By selecting this option. proxy server settings (IP address and port settings) must be configured in all browsers. Allow admin port access Select to permit access to other network hosts over ports 81 and 441. This is useful for accessing remote a Smoothwall System. This can be used to ensure that old content of frequently updated web sites is not cached. Groups Authenticated users can be selectively granted or denied access to the web allowed to use proxy service according to their authentication group membership. If the user has not been authenticated by any other authentication mechanism.

end-user browsing will be suspended and any currently active downloads will fail. About Web Proxy Methods The following sections discuss the types of web proxy methods supported by Advanced Firewall. Non-Transparent Proxying If Advanced Firewall’s web proxy service has not been configured to operate in transparent mode. Transparent Proxying If Advanced Firewall's web proxy service has been configured to operate in transparent mode. all HTTP port 80 requests will be automatically redirected through the proxy cache. The web proxy will be restarted with any configuration changes applied. Smoothwall recommends the use of Mozilla-based browsers when using the automatic configuration script functionality. Tests by Smoothwall indicate a number of intermittent issues regarding the browser’s implementation of this feature. Note: Restarting may take up to a minute to complete. Note: Save and Restart with cleared cache – Used to save configuration changes and empty the proxy cache of all data. If you are having problems with transparent proxying. It is a good idea to a restart when it is convenient for the proxy end-users. the proxy address and port settings to browser proxy be used when manually configuring end-user browsers are displayed here. Note: Browsers must be configured to access the automatic configuration script to receive this list of direct routing hosts Use automatic After enabling and restarting the service. Save and restart the web proxy service by clicking Save and Restart or Save and Restart with cleared cache. script address Note: Microsoft Internet Explorer provides only limited support for automatic configuration scripts. the automatic configuration script configuration location is displayed here. Manual web After enabling and restarting the service. settings Interfaces 3 Select the interface for the web proxy traffic. This is useful when cache performance has been degraded by the storage of stale information – typically from failed web-browsing or poorly constructed web sites. This is useful for internal web servers such as a company intranet server. All hosts listed will be automatically added to a browser's Do not use proxy server for these addresses proxy settings if they access the automatic configuration script for their proxy settings. During this time. check that the following settings are not configured in end-user browsers: • Automatic configuration • Proxy server.Smoothwall Advanced Firewall Administrator’s Guide Control Description Automatic configuration script custom direct hosts Enter any additional hosts required to the automatic configuration script’s list of direct (non-proxy routing) hosts. 91 . all end-user browsers on local workstations in Advanced Firewall network zones must be configured.

YOURDOMAINNAME added. 3 Configure the following settings: Method: To configure: Manual 1 In the Proxy server area. 92 3 Ensure that no other proxy settings are enabled or have entries.pac. To configure Internet Explorer: 1 Start Internet Explorer. The configuration script is automatically generated by Advanced Firewall and is accessible to all network zones that the web proxy service is enabled on. 3 Click Advanced to access more settings.72. 1 Automatic configuration script 2 In the Automatic configuration area. select Use a proxy server for your LAN … 2 Enter your Advanced Firewall's IP address and port number 800. your intranet or local wiki. click LAN settings. in the Automatic configuration script area. 4 Click OK and OK to save the settings. This information is displayed on the Services > Proxies > Web proxy page. proxy. • Automatically using a configuration script – Browsers are configured to receive proxy configuration settings from an automatic configuration script. Enter the location of the script. 2 On the Connections tab. . 5 Click OK and OK to save the settings. in the Automatic configuration script area. and from the Tools menu.141/ proxy.168. Configuring End-user Browsers The following steps explain how to configure web proxy settings in the latest version of Internet Explorer available at the time of writing.pac. for example. 4 In the Exceptions area. for example: http://192. The location is displayed on the Services > Proxies > Web proxy page. select Internet Options. enter the IP address of your Advanced Firewall and any other IP addresses to content that you do not want filtered.Advanced Firewall Services Managing the Web Proxy Service You can configure browser settings: • Manually – Browsers are manually configured to enable Internet access. • WPAD automatic script – Browsers are configured to automatically detect proxy settings and a local DNS server or Advanced Firewall static DNS has a host wpad. select Use automatic configuration script.

add the host wpad. select Automatically detect settings. Advanced Firewall can monitor Jabber/Google Talk and AIM sessions protected by SSL.cypherpunks. 1 In the Automatic configuration area.dat file. Note: PCs will have had to be configured with the same domain name as the A record for it to work. However. They suggest that you should use a DHCP auto-discovery method using a PAC file. The file tells the browser what proxy settings it should use.Smoothwall Advanced Firewall Administrator’s Guide Method: To configure: WPAD Note: This method is only recommended for administrators familiar with configuring web and DNS servers. Web Proxy Auto-Discovery (WPAD) prepends the hostname wpad to the front of its fully qualified domain name and looks for a web server on port 80 that can supply it a wpad. 3 On a local DNS server or using Advanced Firewall static DNS. Note: Advanced Firewall cannot monitor IM sessions within HTTP requests. Instant Messenger Proxying Advanced Firewall’s Instant Messenger (IM) proxy service can log the majority of IM traffic. The host must resolve to the Advanced Firewall IP. 93 . Microsoft Knowledge Base article Q252898 suggests that the WPAD method does not work on Windows 2000.ca/otr/). However. This is contrary to some of our testing. see Censoring Message Content on page 109. When enabled in end-user browsers. using SSL Intercept. 2 Click OK and OK to save the settings. Advanced Firewall can also censor instant messaging content. for more information. see below.YOURDOMAINNAME substituting your domain name. See the article for more information. Neither can Advanced Firewall intercept conversations which are secured by end-to-end encryption. such as when Microsoft MSN connects through an HTTP proxy. such as provided by Off-the-Record Messaging (http:// www.

2 Configure the following settings: 94 Setting Description Enabled Select to enable the instant messaging proxy service. .Advanced Firewall Services Instant Messenger Proxying To configure the instant messaging proxy service: 1 Browse to the Services > Proxies > Instant messenger page.

for example JaneDoe@hotmail. If multiple messages or files are blocked. 95 . Hide conversation text Select this option to record instant message events. White-list users To whitelist a user.com. Advanced Firewall censors unsuitable words by replacing them with *s. but to discard the actual conversation text before logging. Note: This option does not work with the ICQ/AIM protocol. Number of current entries – Displays the number of entries currently in the whitelist user list. Block all filetransfers Select this option to block file transfers using certain IM protocols. AIM and Yahoo IM protocols. for example JohnDoe@hotmail.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Enable Message Censor Select to enable censoring of words usually considered unsuitable. such as messages in and out. enter their instant messaging ID. Once added to the white-list. When this option selected. enter a message to display when a message or file is blocked. Clear Automatic Whitelisted user list – Click to clear the white-list. see Censoring Message Content on page 109. enter their instant messaging ID. this message is displayed at 15 minute intervals. Blocked response message Optionally. This option does not work with the ICQ/AIM protocol. Enabled on interfaces Select the interfaces on which to enable IM proxying. ICQ.com. enter a message to display informing users that their conversations are being logged. For more information. Yahoo Select to proxy and monitor Yahoo conversations. this setting blocks files transferred using MSN. Logging warning response Select to inform IM users that their conversation is being logged. when enabled. Logging warning response message Optionally. Currently. AIM and ICQ Select to proxy and monitor ICQ and AIM conversations. or accept the default message. Black-list users To blacklist a user. MSN Select to proxy and monitor Microsoft Messenger conversations. GaduGadu Select to proxy and monitor GaduGadu conversations. For more information. any remote users who are not on the white-list are automatically blocked. Intercept SSL Select to monitor conversations on Google Talk or AIM instant messaging clients which have SSL mode enabled. the remote user and the local use can instant message each other freely. Jabber Select to proxy and monitor conversations which use the Jabber protocol. This message is displayed once a week. see Monitoring SSL-encrypted Chats on page 96. Automatic whitelisting Settings here enable you to control who can instant message your local users. Blocked response Select to inform IM users that their message or file transfer has been blocked. Block unrecognized remote users – Select this option to automatically add a remote user to the white-list when a local user sends them an instant message.

In the case of VoIP. SIP normally operates on port 5060. Advanced Firewall’s SIP proxy ensures that RTP is also proxied. SIP Proxying Advanced Firewall supports a proxy to manage Session Initiation Protocol (SIP) traffic. Some clients will allow users to configure one SIP proxy – this is invariably the registering proxy. Click Save to save and implement your settings. 2 Select Intercept SSL. Enable IM proxying and configure the settings you require. A registering proxy or registrar allows SIP clients to register so that they may be looked up and contacted by external users. one to which the client will register.Advanced Firewall Services Monitoring SSL-encrypted Chats 3 Setting Description Exception local IP addresses To exclude specific IP addresses. a pass-through. Advanced Firewall will now monitor and log the chats. Types of SIP Proxy There are two types of SIP proxy: a registering SIP proxy. and it is the RTP stream that carries voice data. is not NAT friendly. and is used to set up sessions between two parties. enter them here. and one which the client users for access. To monitor SSL-encrypted conversations: 1 Browse to the Services > Proxies > Instant messenger page. Advanced Firewall generates a Advanced Firewall CA certificate. and a pass-through proxy. it is an RealTime Protocol (RTP) session that is set up. solving some of the problems involved in setting up VoIP behind NAT. For this reason. Advanced Firewall’s SIP proxy is also able to proxy RTP traffic. RTP operates on random unprivileged ports. 3 Click Export Certificate Authority certificate. Monitoring SSL-encrypted Chats Advanced Firewall can monitor Google Talk and AIM instant message (IM) chats which use SSL for encryption. 4 Download and install the certificate on PCs which use Google Talk and SSL-enabled AIM IM clients. as such. For full information on the settings available. A pass-through proxy merely rewrites the SIP packets such that the correct IP addresses are used and the relevant RTP ports can be opened. 96 . allowing VoIP products to work correctly. Note: Using Network Guardian to monitor SSL-encrypted IM chats reduces security on IM clients as the clients are unable to validate the real IM server certificate. others will allow for two proxies. and. select the interfaces on which to enable the monitoring and click Save. SIP is often used to set up calls in Voice over Internet Protocol (VoIP) systems. see Instant Messenger Proxying on page 93.

including debugging messages. In transparent mode. Select from: Normal – Just warnings and errors Detailed – Warnings. Logging Select the logging level required. SIP client internal interface From the drop-down list. transparent mode is not required. the SIP proxy can be used in transparent mode. This mode is useful for those clients which do not support a second proxy within their configuration. so a mixture of operation is possible. select the interface for the SIP proxy to listen for connections on. 97 . Maximum number of clients Select the maximum number of clients which can use the proxy. If the proxy is operating in transparent mode. Configuring SIP To configure and enable the SIP proxy: 1 Browse to the Services > Proxies > SIP page. This is the interface on which you will place your SIP clients. errors and informational messages Very detailed – Everything. the proxy is only useful as a pass-through. 2 Configure the following settings: Setting Description Enabled Select to enable the SIP proxy service. the non-transparent proxy is still available. Setting the maximum number of clients is a useful way to prevent malicious internal users performing a DoS on your registering proxy. If all your clients can be properly configured with a second proxy. Log calls Select if you require individual call logging.Smoothwall Advanced Firewall Administrator’s Guide Choosing the Type of SIP Proxying As with many types of proxy.

Smoothwall’s Quality of Service (QoS) module if it is installed. the SIP proxy is not used as a registrar. Transparent The SIP proxy may be configured in both transparent and non-transparent mode. This is useful because it is otherwise quite tricky to define RTP traffic. This is due to the in-built connection tracking of the firewall’s NAT. Select this option if you require a transparent SIP proxy. The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for which it proxies. as it may occur on a wide range of ports. such as that at your ISP. Note: If a client is using the proxy when transparent proxying is turned on. and can also be acted upon by SmoothTraffic. if it is installed. In this way. Exception IPs 3 Hosts which should not be forced to use the transparent SIP proxy must be listed in the Exception IPs box below. traffic passing through the firewall may be prioritized to give a consistent call quality to VoIP users. Click Save to enable and implement SIP proxying. but will allow internal SIP devices to communicate properly with an external registrar such as an ITSP. This traffic can be traffic shaped with SmoothTraffic. the existing users may fail to use the transparent proxy until the firewall is rebooted.Advanced Firewall Services SIP Proxying Setting Description Diffserv mark for RTP packets From the drop-down menu. When operating transparently. select a Diffserv mark to apply to SIP RTP packets. Prioritizing SIP traffic on port 5060 would not make any difference to VoIP calls. 98 . Other marks may be interpreted by upstream networking equipment. The standard mark is BE which is equivalent to doing nothing.

Proxy port From the drop-down list. Configuring non-Transparent FTP Proxying The following section explains how to configure FTP proxying in non-transparent mode. Note: The port you select must be open for the FTP client.Smoothwall Advanced Firewall Administrator’s Guide FTP Proxying Advanced Firewall provides you with a proxy to manage FTP traffic and also makes transparent proxying possible. 1 Browse to the Services > Proxies > FTP page. Note: For performance reasons. 2 Configure the following settings: Setting Description Status Select Enabled to enable the FTP proxy. 99 . files larger than 100 MB are not scanned for malware. select the port for FTP traffic. Anti-malware scanning Select to scan files for malware. You configure this on the System > Administration > External access page. Configuring External Access on page 273 for more information. See Chapter 13.

4 If no information is listed. See Configuring non-Transparent FTP Proxying on page 99 for more information. all hostnames on all ports will be accessible. Remote username Enter the username in the following format: remoteusername@remoteftpserver Configuring Transparent FTP Proxying To configure transparent FTP proxying: 1 100 Browse to the Services > Proxies > FTP page. any server Only connections to specified servers Select to specify which remote FTP connections are allowed and configure the following: Remote FTP server white-list – Enter the hostname or IP address of any remote FTP servers you want to white-list.3. colon and port per line. Remote port Enter the FTP proxy port configured on Advanced Firewall. either 21 or 2121.Advanced Firewall Services FTP Proxying Setting Description Access control Allow connections to Select to allow FTP connections to all servers.com or 1.2. 4 Configure FTP clients as follows: Setting Description Remote host Enter Advanced Firewall’s hostname or IP address. Enter one hostname or IP. .company. 3 Click Save changes to save the settings and enable non-transparent FTP proxying. for example: ftp.

3. Transparently proxy only the following IPs Select to transparently FTP proxy for the source IPs specified. files larger than 100 MB are not scanned for malware.4 Transparently proxy all except the following IPs Select to transparently FTP proxy all except the source IPs specified. for example: 1. See Chapter 13. 3 In the Transparent proxy settings area. for example: 1. Note: For performance reasons. any server Only connections to specified servers Select to specify which remote FTP connections are allowed and configure the following: Remote FTP server white-list – Enter the hostname or IP address of any remote FTP servers you want to white-list. select the port for FTP traffic.2. Enter one hostname or IP. for example: ftp.2. Enter one IP address per line.3. all hostnames on all ports will be accessible. configure the following settings: Setting Description Source IPs Transparently proxy all IPs Select to transparently FTP proxy for all source IPs. colon and port per line.4 If no information is listed. Enter the IP addresses of local machines which are to be excluded from transparent FTP proxying.3.com or 1. You configure this on the System > Administration > External access page.2.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Status Select Enabled to enable the FTP proxy.company.4 101 . Proxy port From the drop-down list. Enter the IP addresses of local machines which are to be allowed access to transparent FTP proxying. Configuring External Access on page 273 for more information. Note: The port you select must be open for the FTP client. Enter one IP address per line. Access control Allow connections to Select to allow FTP connections to all servers. Anti-malware scanning Select to scan files for malware.

2. Enter one IP address per line. The reverse proxy service: • Provides the ability to route multiple HTTP and HTTPS sites to each of their own internal servers.4 Transparently proxy all except the following IPs Select to transparently FTP proxy all except the destination IPs specified. • Provides the ability to publish Microsoft Exchange services such as Outlook Web Access (OWA) and Outlook Anywhere (previously RPC over HTTPS) • Monitors traffic passing through the reverse proxy • Increases server efficiency by SSL off-loading.Advanced Firewall Services Reverse Proxy Service Setting Description Destination IPs Transparently proxy all IPs Select to transparently FTP proxy for all destination IPs. you do not need to configure FTP client applications. When running Advanced Firewall’s FTP proxy in transparent mode. 102 . Reverse Proxy Service Advanced Firewall’s reverse proxy service enables you to control requests from the Internet and forward them to servers in an internal network. Click Save changes to save the settings and enable transparent FTP proxying. Enter the IP addresses of the machines which are to be allowed access to transparent FTP proxying.4 Transparent proxy interfaces 4 Select the interface on which to transparently proxy FTP traffic. Transparently proxy only the following IPs Select to transparently FTP proxy for the destination IPs specified.3. for example: 1. Enter the IP addresses of the machines which are to be excluded from transparent FTP proxying.2. Enter one IP address per line.3. for example: 1. • Improves web server security using intrusion prevention system (IPS).

Note: The certificate and key files must be distinct and separate and they must be in the unencrypted PEM format. Select one of the following options to specify the SSL certificate to use: Built-in – Select this option to use Advanced Firewall’s built in SSL certificate.Smoothwall Advanced Firewall Administrator’s Guide Configuring the Reverse Proxy Service The following sections explain how to enable. Click Upload to upload the certificate. 2 Key – Click the Choose file/Browse button and browse to and select the key. SSL certificate The reverse proxy service caters for HTTPS sites using an SSL certificate. Custom certificate – Select this option to upload a custom certificate and key file. Click Upload to upload the certificate. To enable. Disable – Select to disable the service. 103 . Tip: You can use the XCA certificate and key management client to import and export your SSL certificates and key files in any standard format. configure the following settings: Setting Description Reverse proxy Select one of the following settings: Enable – Select to enable the service. configure and deploy the reverse proxy service. 2 In the Global options area. configure and deploy the reverse proxy service: 1 Navigate to the Services > Proxies > Reverse proxy page. To upload a custom certificate and key: 1 Certificate – Click the Choose file/Browse button and browse to and select the certificate.

168. In the Manage rule area. configure and deploy more rules.168. http:// .1. Advanced Firewall can be regarded as a managed device when the SNMP service is enabled. specify it as: .168.1 or IP address and port.1.1. e. SNMP Simple Network Management Protocol (SNMP) is part of the IETF’s Internet Protocol suite. 6 Repeat the steps above to enable. undesired access and denial of service. of the web server to failback to.com Internal address Enter the protocol with the IP address or IP address and port of the web server. including the following: • System name. Advanced Firewall will default to 80 for HTTP sites and 443 for HTTPS sites.com and example.example.1. If no port is specified. http:// 192. https://www. External address Enter the URL. Select Enable apply to apply an enabled IPS policy. configure the following settings: Setting Description Name Enter a descriptive name for the reverse proxy rule. location and contact information • Live TCP and UDP connection tables • Detailed network interface and usage statistics • Network routing table • Disk usage information • Memory usage information. Advanced Firewall enables and deploys the reverse proxy service and lists it in the Rules area.com or http://example. this enables you to specify custom destination ports for various internal web servers. https://192.com/. domain or IP address of the site you want to publish in the following format: http://example.example. 192. In SNMP terminology. The SNMP service allows all gathered management data to be queried by any 104 .1:1234 A port number is optional on the internal address.Advanced Firewall Services SNMP 3 Optionally. e. To use a wildcard.example.com.168. http://192.g. they are treated as distinct and separate sites. You can also enter a path to the site you want to publish in the URL. 5 Click Save. Note: When configuring: www. description. typically for centralized administrative purposes. click Advanced and configure the following settings: Setting Description Intrusion prevention Advanced Firewall’s intrusion prevention system (IPS) policies stop intrusions such as known and zero-day attacks.1:1234. 192.1.g. Failback internal address 4 Enter the IP address. e.168.com.1.1. if a request does not match an address already configured.com/path/ You must include http or https in the address. Click Save to save the global options. It is used to enable a network-attached device to be monitored. Advanced Firewall’s SNMP service operates as an SNMP agent that gathers all manner of system status information. For more information. see Managing the Intrusion System on page 114. unless you use a wildcard for the domain.g.example.

DNS The following sections discuss domain name system (DNS) services in Advanced Firewall. 105 . For further information. This allows the IP addresses of a named host to be resolved by its hostname.Smoothwall Advanced Firewall Administrator’s Guide SNMP-compatible NMS (Network Management System) devices. 3 Click Save. a third-party SNMP management tool is required. For specific details about how to view all the information made accessible by Advanced Firewall’s SNMP service. remote access permissions for the SNMP service must be configured. Note: Advanced Firewall itself can resolve static hostnames regardless of whether the DNS proxy service is enabled. that is a member of the same SNMS community. 2 Select Enabled and enter the SNMP community password into the Community text field. To enable and configure the SNMP service: 1 Navigate to the Services > SNMP > SNMP page. Adding Static DNS Hosts Advanced Firewall can use a local hostname table to resolve internal hostnames. The default value public is the standard SNMP community. The Community field is effectively a simple password control that enables SNMP devices sharing the same password to communicate with each other. see Chapter 13. Configuring Administration and Access Settings on page 272. Note: To access the SNMP service. Note: To view information and statistics provided by the system's SNMP service. please refer to the product documentation that accompanies your preferred SNMP management tool.

2 Configure the following settings: 3 Setting Description IP address Enter the IP address of the host you want to be resolved. if an external connection is available.Advanced Firewall Services DNS To add a static DNS host: 1 Navigate to the Services > DNS > Static DNS page. Editing and Removing Static Hosts To edit or remove existing static hosts. The static host is added to the Current hosts table. 106 . in addition to any local names that have been defined in the Advanced Firewall’s static DNS hosts table. Comment Enter a description of the host. Enabled Select to enable the new host being resolved. In this mode. local network hosts use Advanced Firewall as their primary DNS server to resolve external names. Click Add. Enabling the DNS Proxy Service The DNS proxy service is used to provide internal and external name resolution services for local network hosts. use Edit and Remove in the Current hosts area. Hostname Enter the hostname that you would like to resolve to the IP address.

cx no-ip. Click Save. basic service.net zoneedit. Any such filtering would prevent SIP.org ez-ip. Dynamic host rules are used to automatically update leased DNS records by contacting the service provider whenever the system's IP address is changed by the ISP. Note: If the DNS proxy settings were configured as 127. The following dynamic DNS service providers are supported: DNS service providers dhs.org (Dynamic) dyndns.org (Static) dyns. The dynamic DNS service can operate with a number of third-party dynamic DNS service providers.org hn. the system will use the DNS proxy for name resolution. Managing Dynamic DNS Advanced Firewall’s dynamic DNS service is useful when using an external connection that does not have a static IP.0.org (Custom) dyndns. Kerberos and other services from functioning.org easydns. 2 Configure the following settings: 3 Setting Description Interfaces Select each interface that should be able to use the DNS proxy.com dyndns. Advanced Forward SRV & SOA records – Optionally.1 during the initial installation and setup process of Advanced Firewall.com Many of these service providers offer a free of charge.0.com ods.Smoothwall Advanced Firewall Administrator’s Guide To enable the DNS proxy service on a per-interface basis: 1 Navigate to the Services > DNS > DNS Proxy page. 107 . select this setting to stop the DNS proxy from filtering out SRV & SOA records. in order to enable consistent routing to Advanced Firewall from the Internet.

Advanced Firewall Services DNS To create a dynamic host: 1 Navigate to the Services > DNS > Dynamic DNS page. 3 Domain Enter the domain registered with the dynamic DNS service provider. Enabled Select to enable the service.org as the service provider.org and sub.com. To force an update: 1 108 Click Force update. However. use Edit and Remove in the Current hosts area. Password Enter the password registered with the dynamic DNS service provider.org will both resolve to the same IP.com and the system is behind a web proxy. . Username Enter the username registered with the dynamic DNS service provider. Note: This is not necessary when using dyndns. it may be necessary on some occasions to forcibly update the service provider's records.domain. 2 Configure the following settings: Setting Description Service From the drop-down list.dyndns. Editing and Removing Dynamic Hosts To edit or remove existing dynamic hosts. Hostname Enter the hostname registered with the dynamic DNS service provider. for example domain. select your dynamic DNS service provider. Enable wildcards Select to specify that sub-domains of the hostname should resolve to the same IP address. Click Add.dyndns. The dynamic host will be added to the Current hosts table. Behind a proxy Select if your service provider is no-ip. it must be selected from their web site. Note: This option cannot be used with no-ip. Forcing a Dynamic DNS Update The dynamic DNS service will update the DNS records for the host whenever the host’s IP address changes. Comment Enter a description of the dynamic DNS host.

for more information. a time period and level of severity. Managing Custom Categories Custom categories enable you to add phrases which are not covered by the default Advanced Firewall phrase lists. Configuration Overview Configuring an message censor policy entails: • Defining custom categories required to cater for situations not covered by the default Advanced Firewall phrase lists. To create a custom category: 1 Browse to the Services > Message censor > Custom categories page. and may suspend the user accounts of users they deem to be abusing their service. Creating Custom Categories The following section explains how to create a custom category. see Creating and Applying Message Censor Policies on page 113. The following sections explain how to create.Smoothwall Advanced Firewall Administrator’s Guide Note: Dynamic DNS service providers do not like updating their records when an IP address has not changed. for more information. edit and delete custom categories. block and/or log content in messages. modify. see Setting Time Periods on page 110 • Configuring filters which classify messages by their textual content. an action. see Creating Filters on page 111 • Configuring and deploying a policy consisting of a filter. 109 . see Creating Custom Categories on page 109 • Configuring time periods during which policies are applied. for more information. Censoring Message Content Advanced Firewall enables you to create and deploy policies which accept.

4 At the top of the page. Phrases Enter the phrases you want to add to the category. select the category or categories and click Remove. Advanced Firewall uses ‘fuzzy’ matching to take into account that number of spelling mistakes or typographical errors when searching for a match. To delete custom categories: 1 Browse to the Services > Message censor > Custom categories page. click Restart to apply the changes. Setting Time Periods You can configure Advanced Firewall to apply policies at certain times of the day and/or days of the week. 3 Click Add. (example-approximate-phrase)(2) – For the number specified. 110 . 2 In the Current categories area. 3 In the Phrases area. Advanced Firewall adds the custom category to the current categories list and makes it available for selection on the Services > Message censor > Filters page. click Restart to apply the changes. 2 In the Current categories area. Comment Optionally. click Add to save your changes. Editing Custom Categories The following section explains how to edit a custom category. enter a description of the category. 3 At the top of the page. When finished. select the category and click Edit. Enter one phrase. Deleting Custom Categories The following section explains how to delete custom categories. edit and/or delete phrases. To edit a custom category: 1 Browse to the Services > Message censor > Custom categories page. using the format: (example-exact-phrase) – Advanced Firewall matches exact phrases without taking into account possible spelling errors. add.Advanced Firewall Services Censoring Message Content 2 Configure the following settings: Setting Description Name Enter a name for the custom category. per line. in brackets.

click Restart to apply the changes. click Restart to apply the changes. click Add to save your changes. for more information. select the period(s) and click Remove. see Creating Custom Categories on page 109. Comment Optionally. Click Add. You can also create custom categories of phrases for use in filters. set the time period. select the time and click Edit.Smoothwall Advanced Firewall Administrator’s Guide To set a time period: 1 Browse to the Services > Message censor > Time page. Advanced Firewall creates the time period and makes it available for selection on the Services > Message censor > Policies page. 111 . enter a description of the time period. 4 At the top of the page. 3 At the top of the page. 2 Configure the following settings: 3 Setting Description Active from – to From the drop-down lists. Advanced Firewall supplies a default filter. To delete time periods: 1 Browse to the Services > Message censor > Time page. To edit a time period: 1 Browse to the Services > Message censor > Time page. When finished. Deleting Time Periods The following section explains how to delete time periods. Creating Filters Advanced Firewall uses filters to classify messages according to their textual content. 2 In the Current time periods area. 2 In the Current time periods area. edit and delete filters. Editing Time Periods The following section explains how to edit a time period. 3 In the Time period settings. edit the settings. Name Enter a name for the time period. You can create. Select the weekdays when the time period applies.

Advanced Firewall Services Censoring Message Content To create a filter: 1 Browse to the Services > Message censor > Filters page. click Restart to apply the changes. Custom phrase list Select the categories you want to include in the filter. Deleting Filters You can delete filters which are no longer required. To edit a filter: 1 Browse to the Services > Message censor > Filters page. 112 . enter a description of the filter. 3 In the Custom phrase list area. select the filter(s) and click Remove. 2 Configure the following settings: 3 Setting Description Name Enter a name for the filter. When finished. To delete filters: 1 Browse to the Services > Message censor > Filters page. 4 At the top of the page. 3 At the top of the page. Comment Optionally. click Add to save your changes. Advanced Firewall creates the filter and makes it available for selection on the Services > Message censor > Policies page. Editing Filters You can add. edit the settings. 2 In the Current filters area. select the filter and click Edit. change or delete categories in a filter. 2 In the Current filters area. Click Add. click Restart to apply the changes.

Time period From the drop-down menu. see Creating Filters on page 111. To create and apply a censor policy: 1 Browse to the Services > Message censor > Policies page. an action. you can configure Advanced Firewall to send an alert if the policy is violated. see Setting Time Periods on page 110. 113 . IM proxy outgoing – Select to apply the policy to outgoing instant message content. Categorize – Content which is matched by the filter is allowed and logged. select one of the following options: IM proxy incoming – Select to apply the policy to incoming instant message content. For more information on filters. Censor – Content which is matched by the filter is masked but the message is delivered to its destination. A policy consists of a filter. Filter From the drop-down menu. a time period and a level of severity.Smoothwall Advanced Firewall Administrator’s Guide Creating and Applying Message Censor Policies The following section explains how to create and apply a censor policy for message content. Enabled Select to enable the policy. See Chapter 12. select a level to assign to the content if it violates the policy. Allow – Content which is matched by the filter is allowed and is not processed by any other filters. Click Select to update the policy settings available. 2 Configure the following settings: Setting Description Service From the drop-down menu. select a time period to use. Action From the drop-down menu. or accept the default setting. select one of the following actions: Block – Content which is matched by the filter is discarded. select a filter to use. For more information on filters. enter a description of the policy. From the drop-down list. Configuring the Inappropriate Word in IM Monitor Alert on page 232 for more information. Log severity level Based on the log severity level. Comment Optionally.

it is not possible to deploy Advanced Firewall intrusion prevention policies and run SmoothTraffic at the same time. 2 In the Current policies area. About the Default Policies By default. click Restart to apply the changes. click Restart to apply the policy. Advanced Firewall applies the policy and adds it to the list of current policies. 114 . click Restart to apply the changes. To edit a policy: 1 Browse to the Services > Message censor > Policies page. Advanced Firewall can detect a vast array of wellknown service exploits including buffer overflow attempts. see Creating and Applying Message Censor Policies on page 113 for information on the settings available. This limitation will be removed as soon as possible. When finished. 3 At the top of the page. All violations are logged and the logged data can be used to strengthen the firewall by creating IP block rules against identified networks and source IPs. Deploying Intrusion Detection Policies Advanced Firewall’s default policies enable you to deploy intrusion detection immediately to identify threats on your network. click Add to save your changes. The default policies will change as emerging threats change and will be updated regularly. Editing Polices You can add. select the policy and click Edit. 2 In the Current policies area. Contact your Smoothwall representative if you need more information. select the policy or policies and click Remove. 3 Edit the settings as required. Deleting Policies You can delete policies which are no longer required. change or delete a policy. Managing the Intrusion System Advanced Firewall’s intrusion system performs real-time packet analysis on all network traffic in order to detect and prevent malicious network activity. at the top of the page.Advanced Firewall Services Managing the Intrusion System 3 Click Add and. To delete policies: 1 Browse to the Services > Message censor > Services > Message censor > Policies page. Advanced Firewall comes with a number of intrusion policies which you can deploy immediately. port scans and CGI attacks. Note: Currently. 4 At the top of the page.

2 In the Current IDS policies area. Creating Custom Policies on page 117. Advanced Firewall enables you to deploy intrusion prevention policies to stop intrusions such as known and zero-day attacks. Advanced Firewall removes the policy. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network. 115 . select the policy you want to remove. Contact your Smoothwall representative if you need more information. it is not possible to deploy Advanced Firewall intrusion prevention policies and run SmoothTraffic at the same time. Click Add. see Chapter 8. Advanced Firewall deploys the policy and lists it in the Current IDS policies area. select the interface on which you want to deploy the policy. select the policy you want to deploy. This limitation will be removed as soon as possible. Removing Intrusion Detection Policies To remove an intrusion detection policy from deployment: 1 Browse to the Services > Intrusion system > IDS page. 3 Click Remove. Comment Enter a description for the policy Enabled Select this option to enable the policy. Deploying Intrusion Prevention Policies Note: Currently. undesired access and denial of service.Smoothwall Advanced Firewall Administrator’s Guide To deploy an intrusion detection policy: 1 Browse to the Services > Intrusion system > IDS page. See About the Default Policies on page 114 for more information on the policies available. 3 Interface From the drop-down list. 2 Configure the following settings: Setting Description IDS Policy From the drop-down list.

see Chapter 8. 3 Comment Enter a description for the policy Enabled Select this option to enable the policy. Creating Custom Policies on page 117. Advanced Firewall removes the policy. 116 . Removing Intrusion Prevention Policies To remove an intrusion prevention policy from deployment: 1 Browse to the Services > Intrusion system > IPS page. See About the Default Policies on page 114 for more information on the policies available. Click Add. 2 Configure the following settings: Setting Description IPS Policy From the drop-down list. select the policy you want to deploy. 2 In the Current IPS policies area. select the policy you want to remove. 3 Click Remove. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network.Advanced Firewall Services Managing the Intrusion System To deploy an intrusion prevention policy: 1 Browse to the Services > Intrusion system > IPS page. Advanced Firewall lists the policy in the Current IPS policies area.

Advanced Firewall contains a number of policies which you can deploy to detect and prevent intrusions. To create a custom policy: 1 Browse to the Services > Intrusion system > Policies page.Smoothwall Advanced Firewall Administrator’s Guide Creating Custom Policies By default. It is also possible to create custom policies to suit your individual network. 117 .

select the signatures you want to include in the policy. seeDeploying Intrusion Detection Policies on page 114 andDeploying Intrusion Prevention Policies on page 115. Comment Enter a description for the custom policy. For information on how to add custom signatures. 2 Configure the following settings: Setting Description Custom signatures Click Browse to locate and select the signatures file you want to upload. Click Add. To upload custom signatures: 1 Navigate to the Services > Intrusion system > Signatures page. try upgrading to the latest version of your browser to speed up the process. Click Upload to upload the file.Advanced Firewall Services Managing the Intrusion System Tip: If the list of signatures takes some time to load. see Uploading Custom Signatures on page 118. 2 Configure the following settings: 3 Setting Description Name Enter a name for the policy you are creating. Uploading Custom Signatures Advanced Firewall enables you to upload custom signatures and/or Sourcefire Vulnerability Research Team (VRT) signatures and make them available for use in intrusion detection and prevention policies. The policy is now available when deploying intrusion detection and intrusion prevention policies. Note: Use custom signatures with caution as Advanced Firewall cannot verify custom signature integrity. For more information. 118 . Advanced Firewall creates the policy and lists it in the Current policies area. Advanced Firewall uploads the file and makes it available for inclusion in detection and prevention policies on the Services > Intrusion system > Policies page. Signatures From the list.

Click Confirm. Advanced Firewall DHCP provides a fully featured DHCP server. 119 . Advanced Firewall deletes the signatures. If there are detection or prevention policies which use custom signatures. Deleting Custom Signatures It is possible to delete custom signatures that have been made available on the Services > Intrusion system > Policies page. Advanced Firewall downloads the signature set and makes it available for inclusion in detection and prevention policies on the Services > Intrusion system > Policies page. Click Update to update and apply the latest signature set. Oink code If you have signed-up with Sourcefire to use their signatures. see Deploying Intrusion Detection Policies on page 114 and Deploying Intrusion Prevention Policies on page 115. Note: If you choose to delete custom signatures. the signatures will be deleted from the policies. To delete custom signatures: 1 On the Services > Intrusion system > Signatures page. For information on deploying intrusion policies. 2 Advanced Firewall prompts you to confirm the deletion. DHCP Advanced Firewall's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to automatically obtain IP address and other network settings. Note: Updating the signatures can take several minutes. with the following capabilities: • Support for 2 DHCP subnets • Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet • Automate the creation of static assignments using the ARP cache. click Delete. enter your Oink code here. Any custom signatures you have uploaded to Advanced Firewall or Sourcefire VRT signatures you have downloaded to Advanced Firewall will be listed on the Services > Intrusion system > Policies page. 3 Click Save. Advanced Firewall will delete all custom signatures.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Use syslog for Intrusion logging Select this option to enable logging intrusion events in the syslog.

120 . forwarding DHCP requests to another DHCP server. Enable logging Select to enable logging.Advanced Firewall Services DHCP Enabling DHCP To enable DHCP: 1 Navigate to the Services > DHCP > Global page. Creating a DHCP Subnet The DHCP service enables you to create DHCP subnets. Relay (forwarding proxy) Select to set the DHCP service to operate as a relay. Server Select to set the DHCP service to operate as a DHCP server in standalone mode for network hosts. 2 Configure the following settings: 3 Setting Description Enabled Select to enable the DHCP service. Click Save to enable the service. Each subnet can have a number of dynamic and static IP ranges defined.

Netmask Define the subnet range by entering a network mask. 2 Configure the following settings: Setting Description DHCP Subnet From the drop-down menu.Smoothwall Advanced Firewall Administrator’s Guide To create a DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. Subnet name Enter a name for the subnet. Primary DNS Enter the value that a requesting network host will receive for the primary DNS server it should use. Network Enter the IP address that specifies the network ID of the subnet when combined with the network mask value entered in the netmask field.168.0. 121 .10. Secondary DNS Optionally.255.0. select Empty and click Select. For example: 192.255. enter the value that a requesting network host will receive for the secondary DNS server it should use. for example 255.

See Chapter 13. Enabled Determines whether the DHCP subnet is currently active. The default value is usually sufficient. This is often not required on very small Microsoft Windows networks. further configuration is required. see Creating Custom DHCP Options on page 125. This is often not required on very small Microsoft Windows networks. 122 . Dynamic ranges and static assignments must be added to the DHCP subnet so that the server knows which addresses it should allocated to the various network hosts. Secondary WINS Optionally. Domain name suffix Enter the domain name suffix that will be appended to the requesting host's hostname. Optionally. Tip: Secondary NTP Enter Advanced Firewall’s IP address and clients can use its time services if enabled. The default value is usually sufficient. Tip: Enter Advanced Firewall’s IP address and clients can use its time services if enabled. enter the value that a requesting network host will receive for the primary WINS server it should use. impractically long DHCP leases. and being granted. Note: For the DHCP server to be able to assign these settings to requesting hosts. 3 Max lease time (mins) Enter the lease time limit in minutes to prevent network hosts requesting.Advanced Firewall Services DHCP Setting Description Default gateway Enter the value that a requesting network host will receive for the default gateway it should use. For more information. Network boot filename Specify to the network booting client which file to download when booting off the above TFTP server. Click Save. TFTP server Enter which Trivial File Transfer Protocol (TFTP) server workstations will use when booting from the network. Automatic proxy config URL Specify a URL which clients will use for determining proxy settings. Click Advanced to access the following settings: Primary WINS Optionally. See Chapter 13. enter the value that a requesting network host will receive for the secondary WINS server it should use. Setting Time on page 269 for more information. Primary NTP Optionally. Custom DHCP options Any custom DHCP options created on the Services > DHCP > Custom options page are listed for use on the subnet. Default lease time Enter the lease time in minutes assigned to network hosts that do not request (mins) a specific lease time. Setting Time on page 269 for more information. Note that it should reference an proxy auto-config (PAC) file and only some systems and web browsers support this feature. enter the IP address of a secondary Network Time Protocol (NTP) server that the clients will use if they support this feature. enter the IP address of the Network Time Protocol (NTP) server that the clients will use if they support this feature.

select the subnet and click Select. Adding a Dynamic Range Dynamic ranges are used to provide the DHCP server with a pool of IP addresses in the DHCP subnet that it can dynamically allocate to requesting hosts. This is done by referencing the unique MAC address of the requesting host’s network interface card. This is used to ensure that certain hosts are always leased the same IP address. 3 Edit the settings displayed in the Settings area. 2 From the DHCP Subnet drop-down list. 2 Choose an existing DHCP subnet profile from the DHCP subnet drop-down list. 4 Click Save. as if they were configured with a static IP address. The dynamic range is added to the Current dynamic ranges table. select the subnet and click Select.15. 3 In the Add a new dynamic range. enter 192. 3 Click Delete. This address range should not contain the IPs of other machines on your LAN with static IP assignments.10. Enabled Select to enable the dynamic range. configure the following settings: Setting Description Start address Enter the start of an IP range over which the DHCP server should supply dynamic addresses from. To add a dynamic range to an existing DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page.Smoothwall Advanced Firewall Administrator’s Guide Editing a DHCP subnet To edit a DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. This address range should not contain the IPs of other machines on your LAN with static IP assignments. To add a static assignment to an existing DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. 123 . End address Enter the end of an IP range over which the DHCP server should supply dynamic addresses to. Deleting a DHCP subnet To delete a DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page.168. Adding a Static Assignment Static assignments are used to allocate fixed IP addresses to nominated hosts. 2 From the DHCP Subnet drop-down list. and click Select. and click Select. 4 Comment Enter a description of the dynamic range. For example. 2 Choose an existing DHCP subnet from the DHCP subnet drop-down list. Click Add dynamic range.

Enabled Select to enable the assignment. 2 Choose an existing DHCP subnet profile from the DHCP subnet drop-down list. Adding a Static Assignment from the ARP Table In addition to the previously described means of adding static DHCP assignments. colon or other separator character between each pair. 3 Scroll to the Add a new static assignment from ARP table area: 4 Select one or more MAC addresses from those listed and click Add static from ARP table. Editing and Removing Assignments To edit or remove existing dynamic ranges and static assignments. This is entered as six pairs of hexadecimal numbers. To add a static assignment from the ARP cache to an existing DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. Viewing DHCP Leases To view free leases: 1 124 Navigate to the Services > DHCP > DHCP leases page. and click Select.g. e. Click Add static. it is possible to add static assignments automatically from MAC addresses detected in the ARP table. The static assignment is added to the Current static assignments table. with a space.Advanced Firewall Services DHCP 3 Scroll to the Add a new static assignment area and configure the following settings: Setting Description MAC address Enter the MAC address of the network host’s NIC as reported by an appropriate network utility on the host system. . use the options available in the Current dynamic ranges and Current static hosts areas. Comment Enter a description of the static assignment. 5 Click Save. 12 34 56 78 9A BC or 12:34:56:78:9A:BC 4 IP address Enter the IP address that the host should be assigned.

DHCP Relaying Advanced Firewall DHCP relay enables you to forward all DHCP requests to another DHCP server and re-route DHCP responses back to the requesting host. To configure DHCP relaying: 1 Connect to Advanced Firewall and navigate to the Services > DHCP > DHCP relay page. currently leased. Creating Custom DHCP Options Advanced Firewall enables you to create and edit custom DHCP options for use on subnets. The following information is displayed: Field Description IP address The IP address assigned to the network host which submitted a DHCP request.Smoothwall Advanced Firewall Administrator’s Guide 2 Select Show free leases and click Update. Note: DHCP relaying must be enabled on the Services > DHCP > Global page. State The current state of the DHCP lease. End time The end time of the DHCP lease granted to the network host that submitted a DHCP request. Start time The start time of the DHCP lease granted to the network host that submitted a DHCP request. 2 Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary DHCP server and Secondary DHCP server fields. Hostname The hostname assigned to the network host that submitted a DHCP request. For example. that is. The state can be either Active. or Free. to configure and use SIP phones you may need to create a custom option which specifies a specific option code and SIP directory server. Click Save. MAC address The MAC address of the network host that submitted a DHCP request. 125 . the IP address is reserved for the same MAC address or re-used if not enough slots are available.

Comment Optionally. IP address – Select when creating an option which uses an IP address. Option type From the drop-down list. For information on using custom options. select the code to use. select the option type. This description is displayed on the Services > DHCP > DHCP server page. Text – Select when creating an option which uses text. The codes available are between the values of 128 and 254. 1 Configure the following settings: Setting Description Option code From the drop-down list. with 252 excluded as it is already allocated. . Click Add. enter any comments relevant to the option. Enabled Select to enable the option. see Creating a DHCP Subnet on page 120. 2 126 Description Enter a description for the option. Advanced Firewall creates the option and lists it in the Current custom options area.Advanced Firewall Services DHCP To create a custom option: 1 Browse to the Services > DHCP > Custom options page.

in the broadest sense. IPSec road warriors Mobile user VPN support using IPSec road warriors clients such as SafeNet SoftRemote. These types of connections are usually referred to as road warriors. SSL VPN Mobile user VPN support using OpenVPN SSL and a light-weight client installed on the user’s computer/laptop. others are open standards. with import and export capabilities in a number of formats. VPNs and tunnels. is a network route between computer networks. Logging Comprehensive logging of individual VPN tunnels. or individual computers. across a public network. Certificate management Full certificate management controls built into the interface. Some are wholly proprietary. Authentication Industry-standard X509 certificates or PreShared Keys (subnet VPN tunnels). Tunnel controls Individual controls for all VPN tunnels. the software is part of the Windows operating system. No client software required. The most commonly deployed VPN protocol is called IPSec. The public network. and is a well 127 . as well as others. The P in VPN technologies refers to the encryption and authentication employed to maintain an equivalent level of privacy that one would expect using a traditional circuit which a VPN typically replaces. In a similar way to how a VPN can replace leased line circuits used to route networks together. Self-signed certificates can be generated. as well as older versions of Windows. There are several technologies which implement VPNs.Chapter 9 Virtual Private Networking In this chapter: • All about Advanced Firewall. Typically. is the Internet. a VPN can also replace Remote Access Server (RAS) phone or ISDN lines. Internal VPNs Support for VPNs routed over internal networks. for IP Security. a VPN replaces a leased line or other circuit which is used to link networks together over some geographic distance. Advanced Firewall VPN Features Advanced Firewall contains a rich set of Virtual Private Network (VPN) features: Feature Description IPSec site-to-site Industry-standard IPSec site-to-site VPN tunneling. L2TP road warriors Mobile user VPN support using Microsoft Windows 2000 and XP. in most cases. What is a VPN? A VPN.

About VPN Authentication Authentication is the process of validating that a given entity. A VPN gateway must perform a number of specific tasks: • Allow VPN tunnels to be configured. • Route all data received from its own Local Area Network (LAN) to the correct VPN tunnel. The network route between a site-to-site or road warrior VPN is provided by a VPN tunnel. X509 An industry strength and internationally recognized authentication method using a system of digital certificates. Tunnels can be formed between two VPN gateways. Since VPN gateways are not usually in the same physical location. About VPN Gateways A VPN gateway is a network device responsible for managing incoming and outgoing VPN connections. this is a simplistic authentication method based on a password challenge. the remote gateway must be assured that the initiating gateway is not an imposter. road warriors.Virtual Private Networking About VPN Authentication established and open Internet standard. • Decrypt secure data received from the VPN tunnel. thus making the tunnel and its content unintelligible and therefore private to the outside world. is actually who or what it identifies itself to be. A gateway that initiates a VPN connection must be assured that the remote gateway is the right one. Administrator Responsibilities A network administrator has three responsibilities: • Specify the tunnel – define the tunnel on each VPN gateway. see PSK Authentication on page 129. ensure it can be identified and trusted. Conversely. site-to-site VPNs. as published by the ITU-T and ISO standardization bodies. For more information. that is a person. system or device. 128 . • Encrypt all data presented to the VPN tunnel into secure data packets. For more information. to their office network. • Allow VPN tunnels to be managed. • Route all data received from the tunnel to the correct computer on the LAN. and generally all vendors of network security products will have an offering in their product portfolio. All data traversing the tunnel is encrypted. i. Many implementations of this standard exist. • Manage tunnels – control the opening and closing of tunnels. Advanced Firewall supports several authentication methods that can be used to validate a VPN gateway’s identity: Authentication method Pre-Shared Key Description Usually referred to as PSK. or to connect mobile and home users. • Authenticate the other end of a VPN connection. see X509 Authentication on page 129. it is not readily determinable that either gateway is genuine. VPNs are mostly used to link multiple branch office networks together.e. • Configure authentication – define a secure means for each VPN gateway to identify the other.

Password protection is easily circumvented as passwords are frequently written down. including recommendations for the usage of each. Hence. Digital certificates are created and issued by a trusted entity called a Certificate Authority (CA). company name etc. and contains the following information: Information Description Subject Information about who the certificate was issued to. If the password received by each gateway matches the password stored by each gateway. When initiating a VPN connection. as specified when the L2TP tunnel definition is created. their country. much like a traveler can present his or her passport. each gateway requests the other’s password. X509 Authentication In this model. i. a CA can be called upon to validate the authenticity of a certificate.e. is an electronic document that uniquely identifies its owner. in the same way that a government can be asked to validate a citizen's passport. it is not yet clear whether the certificate is a forgery – to prove absolute authenticity. both gateways know that the other must be genuine. referred to here as a certificate. This ensures that both the user and the VPN gateway (the L2TP client) are authenticated. X509 utilizes public-key cryptography. just like a government is entrusted to provide its citizens with passports.e. A more in depth examination of the PSK and X509 authentication methods can be found in the following sections. there are human and technological reasons that make this method unsuitable for larger organizations. all users of L2TP road warrior connections must enter a valid username and password. Some VPN configurations will also require multiple tunnels to use the same password – highly undesirable if your organization intends to create multiple road warrior VPN connections. While it is possible to create large VPN networks based entirely on PSK authentication. About Digital Certificates A digital certificate. connecting VPN gateways are pre-configured with a shared password that only they know. trusted VPN tunnel can be established. Issuer Information about the CA that created and signed the certificate. PSK authentication is best suited when a single site-to-site or road warrior VPN capability is required. spoken aloud or shared amongst administrator colleagues. In the world of digital certificates. each VPN gateway is given a digital certificate that it can present to prove its identity. Certificates contain information about both its owner. Validity period The start and expiry dates. the CA. PSK Authentication To use the Pre-Shared Key (PSK) method. While PSK tunnels are quick to set up. the subject and its issuer. such a scheme is likely to prove unmanageable in the long run and liable to misuse. i. during which time the certificate is valid. Certificate ID An alternative identifier for the certificate owner in abbreviated form. 129 .Smoothwall Advanced Firewall Administrator’s Guide Authentication method Description Username/password In addition to using X509. each gateway is authentic and a secure. The simplicity of PSK is both its strength and its weakness. However.

3 Install the master Advanced Firewall’s certificate as its default local certificate. certificates. • Manage exporting and installing certificates on other Advanced Firewall / VPN gateway systems. To sign a certificate. the CA takes the content of the certificate and encrypts it using its private key. • Create signed. It can now be proven beyond all doubt that the certificate is the property of its rightful owner (by decrypting it using the owner's public key) and that the certificate was issued by the specified CA (by decrypting the CA's signature from the certificate using the CA's public key). or they can be created by a separate CA such as the one included in Microsoft Windows 2000. It is usual for a single CA to provide certificates for an entire network of peer systems. Alternatively. 130 . If the private key is kept secret by its owner. It is computationally infeasible to derive either key from the other. 4 Create a tunnel specification on the master Advanced Firewall system that points to the remote Advanced Firewall system. 2 Create certificates for the master Advanced Firewall system and the remote Advanced Firewall system. If the signature can be successfully decrypted and matches the issuer details declared in the certificate. one called a private key and the other called a public key. Just because a passport was validly issued by a government does not mean that the person presenting it is its rightful owner. any message successfully decrypted using the public key can only have originated from the private key owner. The use of a local Advanced Firewall CA is recommended as a more convenient and equally secure approach. but there are alternative schemes that use multiple CAs which will be discussed later. see Creating a CA on page 131. digital certificates. Advanced Firewall and Digital Certificates Advanced Firewall is equipped to handle all aspects of setting up a self-contained X509 authentication system. road warrior VPNs. digital certificates can be leased from companies like Verisign or Thawte and then imported. This is solved by one further stage of encryption. The encrypted content is inserted into the certificate. create a local Certificate Authority. It is also impossible for any other key to decrypt a message apart from the encrypting key's counterpart. these are the steps required to create a typical site-to-site VPN connection: 1 On the master Advanced Firewall system. Advanced Firewall enables you to: • Create a trusted CA. and the public key is freely accessible to all. internal VPNs and management in great depth. much like a watermark or other security feature is added to a passport by a government. As an overview to these sections. Anybody wishing to determine the authenticity of the certificate can therefore attempt to decrypt the CA signature using the public key attainable from the issuing CA. For details. thus proving that the certificate is genuine. The mathematical relationship allows messages encrypted with the private key to be decrypted by the public key and vice versa.Virtual Private Networking Configuration Overview Public-key cryptography is an encryption mechanism that involves the use of a mathematically related pair of encryption keys. However. Configuration Overview The following sections cover the separate topics of CAs. This concept is exploited by CAs to sign all certificates they create. this only proves that the CA genuinely issued the certificate. this time the certificate owner uses its private key to encrypt the entire certificate (including the CA's signature) before presenting the certificate. the certificate is proven to be authentic. site-to-site VPNs.

Smoothwall Advanced Firewall Administrator’s Guide 5 Export the CA certificate and the remote Advanced Firewall certificate from the master Advanced Firewall system. Working with Certificate Authorities and Certificates A Certificate Authority (CA) is an implicitly trusted system that is responsible for issuing and managing digital certificates. Creating a CA To create your own certificates for use in VPN tunnel authentication. For further information see Chapter 6. for the purpose of creating certificates for VPN tunnel authentication. A certificate created by a known CA can be authenticated as genuine. 131 . 6 Import the CA certificate on the remote Advanced Firewall system. This section explains how to create a CA using Advanced Firewall. Configuring Inter-Zone Security on page 59. but this can be inconvenient and costly. 10 Ensure that appropriate zone bridging rules are configured and active in order to permit traffic to and from the VPN tunnel. it may be useful to use that. They also explain how to export and import CA certificates so that a remote Advanced Firewall has knowledge of the CA. 8 Create a tunnel specification on the remote Advanced Firewall system that matches the one created by step 4. see VPN Tutorials on page 178. The following sections explain how to create a local CA using Advanced Firewall. in which case refer to Importing Another CA's Certificate on page 133. Note: For VPN configuration tutorials. as exported by step 5. you require access to at least one CA. 7 Import and install the remote Advanced Firewall system’s certificate. as exported by step 5. If you already have a CA on your network. Maintenance tasks such as how to delete CAs are also discussed. It is possible to purchase certificates from an externally managed CA. 9 Bring the connection up.

3 State or province Enter a state or province. 2 Configure the following settings: Setting Description Common name Enter an easily identifiable name.Virtual Private Networking Working with Certificate Authorities and Certificates To create a CA: 1 Navigate to the VPN > VPN > Certificate authorities page. Organization Enter an organizational identifier. Exporting the CA Certificate Once a CA has been created. you need to export its certificate so that other systems can recognize and authenticate any signed certificates it creates. Email Enter an administrative email address. Once a CA has been created. you can use it to create digital certificates for network hosts. Locality or town Enter a locality or town. Country Enter a two letter country code. select the length of time that the CA will remain valid for. You can also export the CA’s own certificate to other systems which can use it to authenticate digital certificates issued by the CA. Life time From the drop-down menu. User defined (days) If User defined is selected as the life time value of the CA. Department Enter a departmental identifier. The local CA is created and displayed. enter the number of days the CA will be valid. Click Create Certificate Authority. There are two different export formats: 132 .

3 Locate and open the CA’s certificate that you wish to import. The following formats are available: CA certificate in PEM – An ASCII (textual) certificate format commonly used by Microsoft operating systems. 3 Click Delete Certificate Authority. click Browse.Smoothwall Advanced Firewall Administrator’s Guide To export the CA certificate: 1 Navigate to the VPN > VPN > Authorities page and configure the following settings: Setting Description Name In the Installed Certificate Authority certificates area. 2 In the Import Certificate Authority certificate area. select Confirm delete. Importing Another CA's Certificate To authenticate a signed certificate produced by a non-local CA. select the format in which to export the certificate authority’s certificate. The certificate is listed in the Installed Certificate Authority certificates list of certificates area. you must import the non-local CA’s certificate into Advanced Firewall. To import the CA's certificate: 1 Navigate to the VPN > VPN > Authorities page. Note: Deleting the local CA will invalidate all certificates that it has created. 4 Click Import CA cert from PEM. 2 In the Delete local Certificate Authority region. CA certificate in BIN – A binary certificate format. select if the certificate is to be used on a system which requires this format. 2 Click Export and choose to save the file to disk from the dialog box launched by your browser. Deleting the Local Certificate Authority and its Certificate To delete the local CA and its certificate: 1 Navigate to the VPN > VPN > Authorities page. This is usually done on secondary Advanced Firewall systems so that they can authenticate certificates created by a master Advanced Firewall system's CA. Note: The certificate must be in PEM format to be imported. You can deliver the certificate to another system without any special security requirements since it contains only public information. Once the local CA has been deleted. 133 . Select this format if the certificate is to be used on another Smoothwall System. locate and select the local CA certificate. This change in layout occurs because a CA no longer exists on the Advanced Firewall system. Consult the system’s documentation for more information. the Create local Certificate Authority region will be displayed. The Create local Certificate Authority region replaces the Delete local Certificate Authority region. Export format From the drop-down list.

view.Virtual Private Networking Managing Certificates Deleting an Imported CA Certificate To delete an imported CA's certificate: 1 Navigate to the VPN > VPN > Authorities page. Creating a Certificate Once a local Certificate Authority (CA) has been created. 3 Click Delete. all other Advanced Firewall systems. The CA certificate will no longer appear in the Installed Certificate Authority certificates region and Advanced Firewall will not be able to authenticate any certificates created by it. i. import.e. . you can generate certificates. It is normal for a single CA to create certificates for all other hosts that will be used as VPN gateways. This is because the Advanced Firewall VPN gateway is a separate entity to the CA. export and delete certificates in Advanced Firewall. and therefore requires its own certificate. Managing Certificates The following sections explain how to create. The first certificate created is usually for the Advanced Firewall system that the CA is installed on. 2 Locate and select the non-local CA certificate in the Installed Certificate Authority certificates region. To create a new signed certificate: 1 134 Navigate to the VPN > VPN > Certificates page.

To export a certificate: 1 Navigate to the VPN > VPN > Certificates page and scroll to the Installed signed certificates area. Email Enter an email address for the individual or host system that will own this certificate. Department Enter a departmental identifier for the certificate owner. Life time From the drop-down menu. Host & Domain Name – Recommended for most site-to-site VPN connections. for example Head Office. For a site-to-site Advanced Firewall VPN this is typically a hostname. Click Create signed certificate. Exporting Certificates Any certificates you create for the purpose of identifying other network hosts must be exported so that they can be distributed to their owner. ID value Enter an ID value. select the length of time that the certificate will remain valid for. 3 State or province Enter a state or province for the certificate owner. Reviewing a Certificate You can review the content of a certificate. 4 Close the browser window to return to Advanced Firewall. Organization Enter an organizational identifier for the certificate owner. Locality or town Enter a locality or town for the certificate owner. Common name Enter a common name for the certificate. The content is displayed in a new browser window. select the certificates’s ID type. This does not need to be a real email address. 135 . Reviewing certificates can be useful for checking certificate content and validity. although the use of a real email address is recommended.Smoothwall Advanced Firewall Administrator’s Guide 2 Scroll to the Create new signed certificate area and configure the following settings: Setting Description ID type From the drop-down menu. Email address – Recommended for road warrior or internal VPN connections. User defined (days) If User defined is selected as the life time value of the certificate. This does not need to be a registered DNS name. The options are: No ID – Not recommended but available for inter-operability with other VPN gateways. 2 Locate the certificate that you wish to view in the Installed signed certificates region. 3 Click the certificate name. For a road warrior this is usually the user’s email address. Country Enter a two letter country code. IP address – Recommended for site-to-site VPNs whose gateways use static IP addresses. To review a certificate: 1 Navigate to the VPN > VPN > Certificates page. The certificate is listed in the Installed signed certificates area. enter the number of days the certificate will be valid for.

locate and select the certificate that you wish to export. The following formats are available: Certificate in PEM – An ASCII (textual) certificate format commonly used by Microsoft operating systems. for example. configure the following settings: Setting Description Password Enter the password that was specified when the certificate was created. To import a certificate: 1 136 Navigate to the VPN > VPN > Certificates page. 3 Enter and confirm a password in the Password and Again fields. Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that should only be known by the certificate owner. branch office systems connecting to a head office that has a Advanced Firewall system and CA. Private key in DER – Exports just the private key in binary for use with nonAdvanced Firewall VPN gateways. 3 Click Export. 5 Choose to save the PKCS#12 container file (a . This is the normal process for secondary Advanced Firewall systems. Recommended for all Advanced Firewall to Advanced Firewall VPN connections. . The certificate will be saved to the browser’s local file system in the specified format.pem or . The PKCS#12 file will be saved to the browser's local file system. To export a certificate in the PKCS#12 container format: 1 Navigate to the VPN > VPN > Certificates page. select the format in which to export the certificate.p12 file) to disk in the dialog box launched by your browser software. It is recommended for use in all Advanced Firewall to Advanced Firewall VPNs and L2TP road warriors. Importing a Certificate Advanced Firewall systems that do not have their own CA will be required to import and install a host certificate to identify themselves. 4 Click Export certificate and key as PKCS#12. 2 In the Installed signed certificates region. Certificate in DER – A binary certificate format for use with non-Advanced Firewall VPN gateways. In the Import certificates area.Virtual Private Networking Managing Certificates 2 Select the certificate you want to export and configure the following settings: Setting Description Export format From the drop-down menu.der file) to disk in the dialog box launched by your browser software. Choose to save the certificate file (a . Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that should only be known by the certificate owner. Exporting in the PKCS#12 Format PKCS#12 is a container format used to transport a certificate and its private key.

137 . Setting the Default Local Certificate One of the most important configuration tasks is to set the default local certificate on each Advanced Firewall host. The default local certificate should be the certificate that identifies its host. Import PEM filename 1 2 To import a certificate in PEM format: Click Browse and navigate to and select the certificate file. The signed certificate will be removed from the Installed signed certificates region. locate and select the certificate that you wish to delete. 2 Click Import certificate and key from PKCS#12. Deleting a Certificate To delete an installed certificate: 1 Navigate to the VPN > VPN > Certificates page. Advanced Firewall imports the signed certificate lists it in the Installed signed certificates area. Click Import certificate from PEM. 2 In the Installed signed certificates region.Smoothwall Advanced Firewall Administrator’s Guide Setting Import PKCS#12 filename Description To import a certificate in PKCS#12 format: 1 Click Browse and navigate to and select the certificate file. 3 Click Delete.

2 In the Default local certificate region. Site-to-Site VPNs – IPSec The following sections explain how to create a site-to-site VPN tunnel between two Advanced Firewall systems. Recommended Settings For Advanced Firewall to Advanced Firewall connections. click Restart to deploy the certificate. 3 When prompted by Advanced Firewall. The tunnel will use the IPSec protocol to create a secure. This certificate will now be used by default in all future tunnel specifications. unless otherwise specified. the following settings are recommended for maximum security and optimal performance: 138 Setting Selection Encryption AES Authentication type ESP . encrypted tunnel between head office and a branch office.Virtual Private Networking Site-to-Site VPNs – IPSec To set the default local certificate: 1 Navigate to the VPN > VPN > Global page. select the host’s certificate from the Certificate drop-down list and click Save.

Setting Description Name Enter a descriptive name for the tunnel connection. for maximum compatibility with other VPN gateways. Note: This field should usually be left blank to automatically use the default external IP (recommended). browse to the VPN > VPN > IPSec subnets page. Enabled Select to enable the connection. Local IP Enter the IP address of the external interface used on the local Advanced Firewall host. many settings can be left at their default values. For Advanced Firewall to Advanced Firewall connections. see VPN Tutorials on page 178. Note: Many parameters are used when creating an IPSec site-to-site VPN tunnel. For more VPN tutorials. 2 Configure the following settings:. for example: New York to London. However. This section describes each parameter that can be configured when creating an IPSec tunnel. Creating an IPsec Tunnel To create a site-to-site tunnel: 1 On the Advanced Firewall at head office. some settings may require adjustment.Smoothwall Advanced Firewall Administrator’s Guide Setting Selection Hashing algorithm SHA Perfect Forward Secrecy Enabled Compression Enabled – unless predominant VPN traffic is already encrypted or compressed. 139 .

20.0/255.255. you can leave this field blank because its value will be automatically retrieved by Advanced Firewall during the connection process (according to the chosen ID type). Default local Certificate Subject – Uses the subject field of the default local certificate as the local certificate ID.Virtual Private Networking Site-to-Site VPNs – IPSec Setting Description Local network Specify the local subnet that the remote host will have access to. Consult your vendor's administration guide for details regarding the required ID type and its formatting. Local ID value This field is only used if the local ID type is a User specified type (this is typically used when connecting to non-Advanced Firewall VPN gateways). 192. select the type of the ID that will be presented to the remote system.0/255. Remote ID type From the drop-down menu. Authenticate by From the drop-down list. Local ID type From the drop-down list. In most cases.168. The choices are: This is specified using the IP address/network mask format. User specified IP address – Allows the user to specify a custom IP address that it should expect the remote gateway to present as ID. User specified Email address – Uses a user specified email address as the local certificate ID. User specified Email address – Allows the user to specify a custom email address that it should expect the remote gateway to present as ID.0.168. Remote IP (or ANY if blank Remote IP) – The remote ID is the remote IP address. select the type of ID that the remote gateway is expected to present.255. User specified Certificate Subject – Uses a user specified certificate subject as the local certificate ID. . Local IP – Uses the local IP address of the host as the local certificate ID. Note: User specified types are mostly used when connecting to non-Advanced Firewall VPN gateways. For more information on PSK and X509 authentication. e. User specified Host & Domain Name – Uses a user specified host and domain name as the local certificate ID.255.g. User specified IP address – Uses a user specified IP address name as the local certificate ID. select the authentication method. Remote IP or hostname Enter the IP address or hostname of the remote system. About VPN Authentication on page 128.10. e. User specified Certificate Subject – Allows the user to specify a custom certificate subject string that it should expect the remote gateway to present as ID (typically used for non-Advanced Firewall VPN gateways).0. or any other form of presented ID User specified Host & Domain Name – Allows the user to specify a custom host and domain name that it should expect the remote gateway to present as ID.255. Remote network This should specify the remote subnet that the local host will have access to.g. The choices available are: This is specified using the IP address/network mask format. 140 Remote ID value Enter the value of the ID used in the certificate that the remote peer is expected to present. 192. The remote IP can be left blank if the remote peer uses a dynamic IP address.

ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. Recommended for optimal performance. see Advanced VPN Configuration on page 171. 4 Enter the following information: Setting Description Local certificate This is used in non-standard X509 authentication arrangements. for example streaming video. This setting should be the same on both tunnel specifications of two connecting gateways. This is useful for compatibility with older VPN gateways. Perfect Forward Secrecy Select to enable the use of the PFS key establishment protocol. Use compression Select to compresses tunnel communication. For non-encrypted. authenticity and integrity of messages.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Preshared key Enter the preshared key when PSK is selected as the authentication method.250. for example: London connection . Authentication type Select the authentication type used during the authentication process. but it does increase CPU utilization on both host systems. Interface Select which interface will be used for this connection either on external or internal interfaces. or VPN tunnels within tunnels may decrease performance.100 to Birmingham . Preshared key again Re-enter the preshared key entered in Preshared key field if PSK is selected as the authentication method. although they can be tweaked for performance gains in Advanced Firewall to Advanced Firewall VPN connections. 3 Optionally. uncompressed traffic compression is recommended. Because AH provides only authentication and not encryption. Initiate the connection Comment Select to enable the local VPN system to initiate this tunnel connection if the remote IP address is known. Enter a descriptive comment for the tunnel. PRIMARY means the connection will be on the external interface. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For more information. Note: Advanced settings are usually used for compatibility with other VPN gateway systems. PFS is recommended for maximum security. click Advanced. ESP – Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality. This is useful for low bandwidth connections. For any tunnel with a high proportion of encrypted or already-compressed traffic. AH is not recommended. The same rule applies when transferring data that is already compressed. This setting must be the same on the tunnel specifications of both connecting gateways. AH – IP Authentication Header uses IP Protocol 51 and ensures authentication and integrity of messages. compression is not recommended. compressing encrypted data such as HTTPS. 141 . VPN gateways must agree on the use of PFS. For example.

Key tries Set the maximum number of times the host will attempt to re-try the connection before failing. This setting should be the same on both tunnel specifications of two connecting gateways. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility. AES 256 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. Key life Set the length of time that a set of keys can be used for. new encryption keys are generated. a non-initiating VPN gateway should not use a zero value because if an active connection drops. Recommended for maximum security. Do not rekey Select to disable re-keying. The default value of zero tells the host to endlessly try to re-key a connection. However. It is recommended for maximum security and performance. it will persistently try to re-key a connection that it can't initiate.Virtual Private Networking Site-to-Site VPNs – IPSec Setting Description Phase 1 cryptographic algo Select the encryption algorithm to use for the first phase of VPN tunnel establishment. AES 128 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. Phase 2 hash algo Selects the hashing algorithm to use for the second phase of VPN tunnel establishment. the Internet Key Exchange keys are reexchanged. Phase 2 cryptographic algo Selects the encryption algorithm to use for the second phase of VPN tunnel establishment. See Phase 1 hash algo for more information on the options. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. 142 IKE lifetime Set how frequently. in minutes. Recommended for faster performance and compatibility. . Phase 1 hash algo Select the hashing algorithm to use for the first phase of VPN tunnel establishment. 3DES – A triple strength version of the DES cryptographic standard using a 168-bit key. AES offers faster and stronger encryption than 3DES. The default and maximum value of 60 minutes is recommended. This setting should be the same on both tunnel specifications of two connecting gateways. After the key-life value has expired. This setting should be the same on both tunnel specifications of two connecting gateways. AES offers faster and stronger encryption than 3DES. thus reducing the threat of snooping attacks. See Phase 1 cryptographic algo for more information on the options. MD5 – A cryptographic hash function using a 128-bit key. SHA – Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. This can be useful when working with NAT-ed endpoints. This setting should be the same on both tunnel specifications of two connecting gateways.

143 . itself. Note: If you do not use this setting. be able to send traffic in the IPsec tunnel. Enter the IP of the network interface to use when Advanced Firewall itself sends traffic in the tunnel. 5 Click Add to create the tunnel. Advanced Firewall will not.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Local internal IP This optional setting is used when Advanced Firewall itself sends traffic in the IPsec tunnel.

select Default local Certificate ID. see Importing a Certificate on page 136. for information on how to do this. 5 Export the remote certificate in the PKCS#12 container format. Local IP Leave empty. you must do the following: 1 Create a CA on the local system for information on how to do this.255. Once the above steps have been completed.168. for information on how to do this. for information on how to do this. 6 Import and install the certificate as the default local certificate on the remote system. 3 Install the local certificate as the default local certificate on the local system.255. Enabled Select to ensure that the tunnel can be activated once configuration is completed. see Exporting in the PKCS#12 Format on page 136.0. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. for information on how to do this. Local ID value Leave empty. Creating the Tunnel on the Primary System To create the tunnel on the primary system: 1 On the primary system. 192. This will identify the primary system to the secondary system by using the host and domain name ID value in the primary system’s default local certificate. see Creating a Certificate on page 134.10. Local ID type From the drop-down list. It will be automatically generated as the default external IP address at connection time Local network Specify the local network that the secondary system will be able to access. see Importing a Certificate on page 136. For example.Virtual Private Networking IPSec Site to Site and X509 Authentication – Example IPSec Site to Site and X509 Authentication – Example This example explains how to create a site-to-site IPSec tunnel using X509 authentication between two Advanced Firewall systems. This should be given in the IP address / network mask format and should correspond to an existing local network. Prerequisite Overview Before you start. 144 .0/ 255. see Exporting Certificates on page 135. see Creating a CA on page 131 2 Create certificates for the local and remote systems using Host and Domain Name as the ID type. proceed with creating tunnel specifications on the local and remote systems as detailed in the following sections. 4 Export the CA certificate in PEM format. for information on how to do this. Its value will be automatically retrieved by Advanced Firewall during the connection process.

enter it here.255.0/ 255. This will instruct Advanced Firewall to authenticate the secondary system by validating the certificate it presents as its identity credentials.0. Authenticate by From the drop-down list. Click Add to create the tunnel specification and list it in the Current tunnels area: The advanced settings are left to their default values in this example. select Default local Certificate ID. Local ID type From the drop-down list. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. Initiate the connection Do not select. Local IP Leave empty. Tunnel to Branch Office.0/ 255.0. 192.168. leave this field blank. select User specified Host & Domain Name. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system.255. For example. 2 Remote ID type From the drop-down list. Use compression Select to reduce bandwidth consumption.20. It will be automatically generated as the default external IP address at connection time.168. Remote network Specify the network on the secondary system that the primary system will be able to access. This is useful for low bandwidth connections. If the secondary system has a dynamic IP address. Preshared Key again Leave empty.20. Comment Enter a descriptive comment.255. 192. This should be given in the IP address/network mask format and should correspond to an existing local network. For example. Enabled Select to ensure that the tunnel can be activated once configuration is completed. This will identify the secondary system to the primary system by using the host and domain name ID value in the secondary system’s default local certificate. however. 145 .Smoothwall Advanced Firewall Administrator’s Guide Setting Description Remote IP or hostname If the secondary system has a static IP address or hostname. select Certificate provided by peer. This should be given in the IP address/network mask format and should correspond to an existing local network. it will require more processing power.255. Remote ID value Enter the ID value (the hostname) of the secondary system’s default local certificate. Preshared Key Leave empty. For example. Local network Specify the local network that the primary system will be able to access. The next step is to create a matching tunnel specification on the remote system. Creating the Tunnel on the Secondary System To create the tunnel on the secondary system: 1 On the secondary system.

select User specified Host & Domain Name. Remote ID type From the drop-down list. Its value will be automatically retrieved by Advanced Firewall during the connection process. Authenticate by From the drop-down list.10. select Certificate provided by peer. Tunnel to Head Office. Initiate the connection Select as the secondary system is responsible for its connection to the primary Advanced Firewall system. . Preshared Key again Leave empty.0/ 255.Virtual Private Networking IPSec Site to Site and X509 Authentication – Example Setting Description Local ID value Leave empty. Comment 2 146 Enter a descriptive comment.0. Remote network Enter the network on the primary system that the secondary system will be able to access. For example.255. 192. for example. The secondary system will act as the initiator of the connection and therefore requires a destination IP address in order to make first contact. This instructs Advanced Firewall to authenticate the primary system by validating the certificate it presents as its identity credentials. Use compression Select if you selected it on the primary system.255. All advanced settings can be safely left at their defaults. Remote IP or hostname Enter the external IP address of the primary system. Click Add.168. This matches the primary system’s certificate type of Host and Domain Name. Remote ID value Enter the ID value (the hostname) of the primary system’s default local certificate. Unlike the first tunnel specification. Preshared Key Leave empty. this cannot be left blank. as listed in Prerequisite Overview on page 144. This should be given in the IP address/network mask format and should correspond to an existing local network.

To do this. Creating the Tunnel Specification on Primary System To create the primary tunnel specification: 1 On the primary system.255. identify the current status of the VPN system. For example. Enabled Select to ensure that the tunnel can be activated once configuration is completed. If the status is Running. navigate to the VPN > VPN > Control page. 3 On the secondary system. you do not need to do anything. select Local IP.Smoothwall Advanced Firewall Administrator’s Guide Checking the System is Active Once the tunnel specifications have been created. the secondary system should initiate the VPN connection. 147 . 2 In the Manual control region. Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel. navigate to the VPN > VPN > Control page.168. Activating the IPSec tunnel Next. see Chapter 6. 192. This will identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address. Local ID type From the drop-down list.255. identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up. To initiate the VPN connection: 1 On the secondary system. 4 In the Manual control region. Configuring Inter-Zone Security on page 59. click Restart. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel.0/ 255. IPSec Site to Site and PSK Authentication Pre-Shared Key (PSK) authentication is useful for creating a basic VPN site-to-site connection where there is no requirement for multiple tunnel authentication and management controls. click Restart. Local network Specify the local network that the secondary system will be able to access. identify the current status of the VPN system. If the status is Stopped. the tunnel can be activated. Local IP Leave blank so that it is automatically generated as the default external IP address at connection time.0. To ensure the VPN subsystem is active on both systems: 1 On the primary system.10. If the status is Stopped. ensure that appropriate zone bridging rules are configured. 2 In the IPSec subnets region. first ensure that the VPN subsystem is active on both the primary and secondary systems. you do not need to do anything. navigate to the VPN > VPN > Control page. This should be given in the IP address/network mask format and should correspond to an existing local network. If the status is Running. For further information.

for example: Tunnel to Birmingham Branch Click Add. Initiate the connection Do not select this option.Virtual Private Networking IPSec Site to Site and PSK Authentication Setting Description Local ID value Leave empty. It is useful for low bandwidth connections but requires more processing power. Local network Specify the local network that the primary system will be able to access. This will allow the primary system to use the secondary’s IP address (if one was specified). Remote IP or hostname If the secondary system has a static IP address or hostname. Preshared Key again Re-enter the passphrase to confirm it.0. This should be given in the IP address/network mask format and should correspond to an existing local network.255. .10. leave this field blank. select Preshared Key. The next step is to create a matching tunnel specification on the remote system. Use compression Select this option if you wish to reduce bandwidth consumption. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system. It will be automatically generated as Local IP was chosen as the local ID type. Creating the Tunnel Specification on the Secondary System To create the secondary tunnel specification: 1 148 On the secondary system. enter it here. Comment Enter a description. Local IP Leave blank so that it is automatically generated as the default external IP address at connection time. Advanced Firewall lists it in the Current tunnels area. Enabled Select to ensure that the tunnel can be activated once configuration is completed.0/255.255.20. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. For example. Remote network Specify the network on the secondary system that the primary system will be able to access.255. Preshared Key Enter a passphrase. For example. If the secondary system has a dynamic IP address. This should be given in the IP address / network mask format and should correspond to an existing local network. Authenticate by From the drop-down list. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. select Remote IP (or ANY if blank Remote IP). Remote ID value Enter the local IP address of the secondary system. 2 Remote ID type From the drop-down list.0.168.255. All advanced settings can be safely left at their defaults.168. 192. 192.0/ 255.

Unlike the first tunnel specification. select Remote IP (or ANY if blank Remote IP).10. 4 In the Manual control region. 2 In the Manual control region. The secondary system will act as the initiator of the connection and thus it requires a destination IP address in order to make first contact. All advanced settings can be safely left at their defaults.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Local ID type From the drop-down list. for example. Use compression Select this option if compression was enabled on the primary system. you do not need to do anything.0/255. click Restart. 149 .255. To check the system is active: 1 On the primary system.255. navigate to the VPN > VPN > Control page. If the status is Stopped. Local ID value Leave empty. 192. Remote ID type From the drop-down list. Remote IP or hostname Enter the external IP address of the primary system. navigate to the VPN > VPN > Control page. Preshared Key again Re-enter the passphrase to confirm it. For example. Activating the PSK tunnel Next. To activate the tunnel: 1 On the secondary system. click Restart. navigate to the VPN > VPN > Control page. Authenticate by From the drop-down list. This will identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address. This should be given in the IP address/network mask format and should correspond to an existing local network. If the status is Running. Remote network Specify the network on the primary system that the secondary system will be able to access. Remote ID value Enter the local IP address of the secondary system. This will allow the primary system to use the secondary's IP address (if one was specified). the tunnel can be activated.0. select Preshared Key. first ensure that the VPN subsystem is active on both the primary and secondary systems. you do not need to do anything. select Local IP. this cannot be left blank. If the status is Running. 3 On the secondary system. identify the current status of the VPN system. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. To do this. If the status is Stopped. Initiate the connection Select this option as it is the responsibility of the secondary system to initiate its connection to the primary Advanced Firewall system.168. the secondary system should initiate the VPN connection. Comment 2 Enter a descriptive comment. Checking the System is Active Once the tunnel specifications have been created. Tunnel to Head Office. Preshared Key Enter the same passphrase as was entered in the Preshared Key field on the primary system. It will be automatically generated as Local IP was chosen as the local ID type. identify the current status of the VPN system. Click Add.

150 . see Chapter 6. to all intents and purposes. 5 Install the certificate and any necessary client software on the road warrior system and configure. or statically assigned machines such as servers. IPSec road warriors can be configured to connect to any internal network. Configuring Inter-Zone Security on page 59. Linux or other nonMicrosoft operating systems. you would choose a group of IP addresses outside of either the DHCP range. 6 Connect. Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel. all L2TP road warriors must connect to the same internal network.Virtual Private Networking About Road Warrior VPNs 2 In the IPSec subnets region. a road warrior connection is configured as follows: 1 Create a certificate for each road warrior user. • IPSec – IPSec road warrior connections use the same technology that Advanced Firewall uses to create site-to-site VPNs. 7 Ensure that inbound and outbound access to the road warrior have been configured using appropriate zone bridging rules. For further information. When a road warrior connects to Advanced Firewall. About Road Warrior VPNs This part of the manual explains how to create road warrior VPN connections to enable mobile and home-based workstations to remotely join a host network. Advanced Firewall supports two different VPN protocols for creating road warrior connections: • L2TP – L2TP connections are extremely easy to configure for road warriors using Microsoft operating systems. unused IP address. You can route to other subnets. When connected. so create as many tunnels as there are road warriors. ensure that appropriate zone bridging rules are configured. For further information. including other VPN-connected ones. IPSec for all others. This IP address must match the network that the road warrior connects too (globally specified for L2TP connections. see Chapter 6. Configuring Inter-Zone Security on page 59. However. just as if it was plugged into the network directly. identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up. Each user requires their own tunnel. Note: Road warrior configuration tutorials are provided in VPN Tutorials on page 178. When configuring a tunnel. Other machines on the same internal network can see the client. IPSec road warriors must have IPSec client software installed and configured to connect to Advanced Firewall. Each road warrior must use a unique. Configuration Overview Typically. There are fewer configuration parameters to consider when creating a tunnel specification. 2 Decide which VPN protocol best suits your road warrior's needs – L2TP for Win 2000/XP. It is recommended for road warriors using Apple Mac. 3 Decide which internal networks and what IP ranges to allocate to road warriors. the road warrior client machine will. it is given an IP address on a specified internal network. 4 Create the tunnel specification on the Advanced Firewall system. the client IP settings is used to assign the road warrior's IP address on the local network. usually with the user's email address as its ID type. be on the configured internal network. Typically. individually specified for each IPSec road warrior.

2.255.255.0 to 192.168. 192.168.0/24 or 192.168.0 to allow the road warrior to access all addresses in the range 192.10.0/ 255.10/3 Accordingly. The IP address must be a valid and available address on the network specified in the Local network field. check the following list to assess whether it is the right choice: • Each connection can be routed to a different internal network.10.255.0.168. Client IP Enter a client IP address for this connection. For example.255.2. Also note that the same advanced options that are available when configuring IPSec site-to-site VPNs are also available to IPSec road warriors. For example. Enabled Select to activate the tunnel once it has been added.255.168.2.0/255. Creating an IPSec Road Warrior To create an IPSec road warrior connection: 1 Navigate to the VPN > VPN > IPSec roadwarriors page.2. 2 Configure the following settings: Setting Description Name Enter a descriptive name for the tunnel.Smoothwall Advanced Firewall Administrator’s Guide IPSec Road Warriors Before creating a road warrior connection using IPSec. • Client software will need to be installed on road warrior systems. set the local network to 192. Note: It is possible to restrict (or extend) the hosts that a road warrior can see on its assigned internal network by changing this setting. This includes overriding the default local certificate.168. Local network Enter the IP address and network mask combination of the local network. 151 .2.168. • Each connection can use different types of cryptographic and authentication settings. enter the value 192.2. if you wish to restrict the connected road warrior to a specific IP address such as 192.

This is useful for compatibility with older VPN gateways. Comment Enter a descriptive comment. select to use the global preshared key as defined on the VPN > VPN > Global. Local ID value If you chose a User Specified ID type. Because AH provides only authentication and not encryption. Perfect Forward This enables the use of the PFS key establishment protocol. see below. choose Certificate presented by peer. Recommended for optimal performance.240. AH is not recommended. Remote ID value Enter the value of the ID used in the certificate that the road warrior is expected to present. authenticity and integrity of messages. Default local Certificate Subject is recommended for road warrior connections. Interface Used to specify whether the road warrior will connect via an external IP or an internal interface. VPN gateways must agree on the use of PFS. for example: IPSec connection to Joe Blogg's on . Remote ID type From the drop-down list. This is recommended as it allows the road warrior to present any form of valid ID. select one of the following options: To use the road warrior's certificate. This setting should be the same on both tunnel specifications of two connecting gateways. see Advanced VPN Configuration on page 171. This will require more processing power.Virtual Private Networking IPSec Road Warriors Setting Description Local ID type From the drop-down list. For further details. select the local ID type. 152 . Authenticate by From the drop-down list. enter a local ID value. AH – IP Authentication Header uses IP Protocol 51 and ensures authentication and integrity of messages. For more information. PFS is recommended for maximum security. ensuring that Secrecy previous VPN communications cannot be decoded should a key currently in use be compromised. select Remote IP (or ANY if blank Remote IP). 3 Use compression Select to reduce bandwidth consumption (useful for low bandwidth connections). Click Advanced and enter the following information: Setting Description Local certificate This is used in less standard X509 authentication arrangements. ESP – Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality. select it. Authentication type Provides a choice of ESP or AH security during the authentication process. Authenticating by a named certificate is recommended for ease of management. Preshared Key. To use a certificate created by a different CA.

After the key-life value has expired. Recommended for maximum security. Recommended for faster performance and compatibility. Click Add at the bottom of the page to add the tunnel to the list of current tunnels. Phase 2 hash algo This selects the hashing algorithm used for the second phase of VPN tunnel establishment.1 Introduction to Site to Site VPNs. See Phase 1 hash algo for more information on the options. a non-initiating VPN gateway should not use a zero value because if an active connection drops. This setting should be the same on both tunnel specifications of two connecting gateways.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Phase 1 cryptographic algo This selects the encryption algorithm used for the first phase of VPN tunnel establishment. Key life This sets the duration that a set of keys can be used for. Phase 2 cryptographic algo This selects the encryption algorithm used for the second phase of VPN tunnel establishment. It is recommended for maximum security and performance. see Section 5. new encryption keys are generated. AES 256 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. However. 153 . SHA – Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Phase 1 hash algo This selects the hashing algorithm used for the first phase of VPN tunnel establishment. The default and maximum value of 60 minutes is recommended. Do not Rekey Turns off re-keying which can be useful for example when working with NAT-ed end-points. This setting should be the same on both tunnel specifications of two connecting gateways. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility. See Phase 1 cryptographic algo for more information on the options. AES offers faster and stronger encryption than 3DES. For details on the operation of each advanced control. Key tries This sets the maximum number of times the host will attempt to re-try the connection before failing. Note: The advanced settings of an IPSec road warrior tunnel operate in exactly the same manner as those for a site-to-site IPSec connection. MD5 – A cryptographic hash function using a 128-bit key. 4 IKE lifetime Sets how frequently the Internet Key Exchange keys are re-exchanged. The default value of zero tells the host to endlessly try to re-key a connection. AES offers faster and stronger encryption than 3DES. 3DES – A triple strength version of the DES cryptographic standard using a 168-bit key. This setting should be the same on both tunnel specifications of two connecting gateways. it will persistently try to re-key a connection that it can't initiate. AES 128 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. This setting should be the same on both tunnel specifications of two connecting gateways. thus reducing the threat of snooping attacks.

Configure the following settings: Setting Description L2TP and SSL VPN client configuration settings Enter primary and secondary DNS settings. 2 154 Click Save. For further information. A road warrior certificate is typically created using the user's email address as the certificate ID. see Creating a Certificate on page 134. . These DNS settings will be assigned to all connected L2TP road warriors and SSL VPN users. Configuring L2TP and SSL VPN Global Settings To configure L2TP and SSL VPN global settings: 1 On the VPN > VPN > Global page. select the internal network that L2TP road warriors will be connected to.These WINS settings will be assigned to all connected L2TP road warriors and SSL VPN users. globally specified subnet. • Mostly supported by Microsoft operating systems with built-in support on Windows 2000 and XP. L2TP settings From the drop-down list. • Very easy to configure. If applicable. Such connections have the following features: • All connections share the same. enter primary and secondary WINS settings. Creating a Certificate The first task when creating an L2TP road warrior connection is to create a certificate.Virtual Private Networking Supported IPSec Clients Supported IPSec Clients Smoothwall currently recommends the use of the following third-party IPSec client applications for IPSec road warriors with Microsoft Operating Systems: • SafeNet SoftRemote LT • SafeNet SoftRemote 10 • SafeNet SoftRemote 9 Creating L2TP Road Warrior Connections This section covers the steps required to create an external road warrior connection using L2TP.

select one of the following options: Certificate presented by peer – If the certificate was created by a different CA. select the L2TP client’s operating system. Again Re-enter the password to confirm it. Enabled Select to activate the tunnel once it has been added. Authenticating by a named certificate is recommended for ease of management. 155 . Interface Select PRIMARY. Common Name's organization certificate – The peer has a copy of the public part of the hosts certificate.Smoothwall Advanced Firewall Administrator’s Guide Creating an L2TP Tunnel To create an external L2TP road warrior connection: 1 Navigate to the VPN > VPN > L2TP roadwarriors page. Advanced Click Advanced to access more options. and each has installed the peer’s public certificate. Here both ends are Certificate Authorities. The IP address must be a valid and available IP on the globally specified internal network. Authenticate by From the drop down list. Comment Enter a descriptive comment. Password Enter a password for the tunnel. 3 L2TP client OS From the drop-down list. 2 Click Advanced to display all settings and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. Local certificate From the drop-down list. select the default local certificate to provide the Advanced Firewall’s default local certificate as proof of authenticity to the connecting road warrior. Username Enter a username for this connection. Click Add to create the L2TP tunnel specification and add it to the Current tunnels region. For example: Joe Blogg's L2TP. Client IP Enter a client IP address for this connection in the Client IP field. choose this option.

Server Enter Advanced Firewall’s external IP address. There is a workaround for subnet tunnels to unknown. enter a description of the tunnel. including IPSec and L2TP road warriors. select Apple (iPhone compatible). Username Enter a username for this connection. 3 Click Add. Note: Before you start. Comment Optionally. For example: CEO's iPhone. Again – Re-enter the password to confirm it. Advanced Firewall creates the tunnel and lists it in the Current tunnels area. L2TP client OS From the drop-down list. To configure an iPhone-compatible tunnel: 1 On the VPN > VPN > Global page. L2TP and SSL VPN client configuration Enter the primary and secondary DNS settings. Authenticate by Preshared key (iPhone compatible) – Select this option to use the preshared key entered in step 1. please be aware of the following limitation in IPSec preshared key (PSK) authentication mode: all connections from unknown IP addresses. you must: • not have any L2TP or IPSec road warriors. In practice. settings 2 Click Save. and. configure the following settings: Setting Description IPSec Road Warrior (and L2TP) Preshared Key Preshared key – Enter a strong password which contains more than 6 characters. Configuring an iPhonecompatible tunnel entails: • setting a preshared key and configuring DNS and interface settings on the VPN > VPN > Global page • creating the tunnel on the VPN > VPN > L2TP roadwarriors page. Client IP Enter a client IP address for this connection.Virtual Private Networking Creating L2TP Road Warrior Connections Configuring an iPhone-compatible Tunnel Advanced Firewall enables you to configure iPhone-compatible tunnels. navigate to Settings > General > Network > VPN. in the case of PSK. the same secret. . Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. 4 On the iPhone-compatible device. as they use certificates for authentication • not have any IPSec subnet tunnels to unknown (blank) remote IPs. 5 Select Add VPN Configuration and configure the following settings: 156 Setting Description Description Enter a description for the tunnel. The IP address must be a valid and available IP on the globally specified internal network. Password Enter a password for the tunnel. remote IPs but the IPSec subnets would have to use PSK authentication with the same shared secret as the iPhone-compatible device. Again Re-enter the password to confirm it. must use the same authentication method. this means that if you want to create a tunnel between an iPhone-compatible device and Advanced Firewall. Enabled Select to activate the tunnel once it has been added.

Note: Any IPSec VPN client connections from a local network behind Advanced Firewall that connect to another vendor's VPN gateway will also need to use NAT-T rather than Protocol 50 for the reasons stated above. not a NATing feature.com/?kbid=818043 The above update will already be installed if you are running Windows XP SP2 or above. Please use the Microsoft Windows Update facility to ensure compliance. the VPN cannot work.com/ 157 . Password Enter the password as entered in step 2. This does of course require that the other end of the VPN tunnel supports NAT-T.microsoft. Advanced Firewall can operate in IPSec NAT Traversal (NAT-T) mode. NAT-T uses the UDP Protocol instead of Protocol 50 for IPSec VPN traffic – UDP is not affected by the NAT process. L2TP Client Prerequisites To connect to an L2TP tunnel. Select Save to save the tunnel configuration.microsoft. However. and the recipient VPN gateway will receive VPN packets containing private (non-routable) IP addresses.Smoothwall Advanced Firewall Administrator’s Guide 6 Setting Description Account Enter the username as entered in step 2. Note: NAT-T is a VPN gateway feature. Proxy Set to OFF. The tunnel is now ready for use. one particular windows update is required for L2TP connections to function: • Q818043 – L2TP/IPSec NAT-T update. IPSec normally uses Protocol 50 which embeds IP addresses within the data packets – standard NATing will not change these addresses. as do the vast majority of other modern VPN gateway devices. Specifically. Information about this patch can be found at http:// support. VPNing Using L2TP Clients This section explains the configuration process for supported Microsoft operating systems. or Windows 2000 SP4 or above. Both SafeNet SoftRemote and SSH Sentinel support this mode. In this situation. a road warrior must be using a Microsoft operating system which is covered by the Microsoft support lifecycle. see http://windowsupdate. RSA SecurID Set to OFF. Connecting Using Windows XP/2000 Users of Windows XP or Windows 2000 should first ensure that they are running the latest service release of their operating system. Send All Traffic Set to ON on for routing to other VPNs. Secret Enter the PSK as configured in step 1. Using NAT-Traversal Passing IPSec traffic through any NATing device such as a router (or a separate firewall in front of the VPN gateway/client) can cause problems.

thus enabling an L2TP connection to be configured as part of a logon script. it will then guide the user through the steps of configuring the connection to the Advanced Firewall system. When started. the L2TP Client Wizard first ensures that the Q818043 hotfix is installed. The following screen is displayed: 158 . You can download it from here.Virtual Private Networking VPNing Using L2TP Clients • One further requirement is that the road warrior user must be a member of the Administrator group in order to install the necessary certificates into the Local Computer certificate store. If it is not. Assuming the hotfix is installed. Installing an L2TP Client The first step in the connection process is to run the L2TP Client Wizard. It is a freely distributable application that automates much of the configuration process. For details. the program issues a warning. To install the L2TP client: 1 Run the L2TP Client Wizard on the road warrior system. see Advanced VPN Configuration on page 171. 2 View the license and click Next to agree to it. Note: There is an alternative configuration method that uses a command line tool.

p12. The following dialog opens: 4 Click Browse to locate and select the road warrior's host certificate file. as exported during the certificate creation process. 159 . This must be a PKCS#12 file. Click Next. The following screen is displayed: 5 Ensure that the Launch New Connection Wizard option is selected and click Install. Enter the password and click Next.Smoothwall Advanced Firewall Administrator’s Guide 3 Click Browse and open the CA certificate file as exported during the certificate creation process. typically saved as *.

7 Click Next. 160 . Click Finish. The Microsoft New Connection Wizard is launched. The following screen is displayed: 8 Select Connect to the network at my workplace and click Next.Virtual Private Networking VPNing Using L2TP Clients 6 The wizard install the certificates.

Smoothwall Advanced Firewall Administrator’s Guide 9 Select Virtual Private Network connection and click Next. The following screen is displayed: 11 Enter Advanced Firewall’s host name or IP address and click Next. The following screen is displayed: 10 Enter a name for the connection and click Next. 161 .

plus the list of local users gain easy and secure VPN access to your network. All your users need to know is their Advanced Firewall user account name and password. The following options are available: TCP (HTTPS) – Select to run the SSL VPN connection over TCP on port 443. VPNing with SSL Advanced Firewall supports OpenVPN SSL connections. Ensure that the tunnel is enabled. and unblocked communication permitted. The Connect dialog box is displayed 13 Enter the username and password of the road warrior and click Connect. configure the following settings: Setting Description Enable SSL VPN Select to enable SSL VPN on Advanced Firewall. 162 . UDP (1194) – Select to run the SSL VPN connection over UDP on port 1194. This protocol is preferred for performance. see Setting the Default Local Certificate on page 137 for more information. Only UDP port 500 and UDP port 4500 and/or ESP should flow from the road warrior when using a Smoothwall L2TP over an IPSEC connection. Any alerts concerning this kind of traffic can be safely ignored. Prerequisites • An installed default local certificate.Virtual Private Networking VPNing with SSL 12 Click Finish. To configure SSL VPN settings: 1 Browse to the VPN > VPN > Global page. Note: Certain anti-malware and worm detection software may generate alerts when L2TP client connections are first established. any user account able to authenticate to the directory service configured. which can be easily configured and distributed. Configuring VPN with SSL The following section explains how to configure Advanced Firewall for VPNing with SSL. This protocol is preferred for compatibility with filters between the client and the server. Using light-weight clients. In the SSL VPN settings area. Transport protocol Select the network protocol. the standard HTTPS port.

This is good for load balancing over multiple links. at the top of the page. For systems which have had VPN configured.Smoothwall Advanced Firewall Administrator’s Guide Setting Description SSL VPN network address Accept the default network address or enter a new one. SSL VPN netmask Accept the default network netmask or enter a new one. 163 . If the default subnet. Choose random gateway 2 Select this setting to enable clients to connect on a random address when multiple gateways are defined. all machines they access must also have a route to this network. this setting is on by default. SSL VPN client gateway(s) Usually. Force clients to use Select to configure Advanced Firewall to force the client to send all its SSL VPN as gateway traffic through the SSL VPN connection. configure this setting to use range not taken on the network. SSL VPN users. TLS authentication can mitigate in a denial of service condition. and. Managing Group Access to SSL VPNs By default all groups are allowed to use SSL VPN. Advanced Firewall can force all connected clients to route through it. If set. Enter one IP address or hostname per line. the primary external IP address of the gateway will be used. The IP range must not be one not used for any physical network. Enable TLS authentication Select this setting to apply Transport Layer Security (TLS) authentication. if dynamic DNS is used. which is generally better as it enforces the policy on the server end. click Restart to apply the settings. is taken by any existing network. Note: For systems which have never had VPN configured. when they connect. If blank. Note: On Windows Vista. add the user to the built-in network configuration operator group. See the sections that follow for more information. Click Save to save the settings.0/24. 10. you have the option to set one or more different gateways. get an IP address on a virtual interface. a client is configured to use Advanced Firewall’s primary external IP address as its gateway. Note: Because connected clients are placed on a virtual network. Therefore. Managing SSL Road Warriors Managing SSL road warriors entails managing group access to SSL VPNs and managing custom scripts for SSL VPNs. Advanced Firewall enables you to stop one or more groups from using SSL VPNs by disabling access. the gate way(s) will be used by the SSL VPN clients as the connecting gateway host.110. this will not work. to ensure that a user gets full VPN connectivity. However. within Advanced Firewall. this setting is off by default.

accept the default settings to apply any uploaded scripts to all groups. Advanced Firewall disables access. 3 De-select the Enable option and click Save. You can also deploy scripts based on groups. Removing Scripts To remove scripts: 1 Browse to the VPN > VPN > SSL roadwarriors page. Click Select. select the group from which the script(s) will be specifically removed. 2 In the Select group area. click Browse. browse to and select the script. 4 Repeat the steps above for any other groups you want to disable from using SSL VPN. Uploading Scripts To upload scripts: 1 Browse to the VPN > VPN > SSL roadwarriors page. select the group to which the script(s) will be specifically deployed. 4 When prompted. Advanced Firewall uploads the script. displays the size of the script and a message confirming a successful upload. accept the default settings to remove any uploaded scripts from all groups. Managing Custom Client Scripts for SSL VPNs Advanced Firewall enables you to upload or remove preconnect. Click Select.Virtual Private Networking Managing SSL Road Warriors To disable a group from using SSL VPN: 1 Browse to the VPN > VPN > SSL roadwarriors page. 3 To upload a preconnect script. from the Select group drop-down list. select the group you want to disable from using SSL VPN and then click Select. 164 . or. Advanced Firewall displays SSL VPN group settings. from the Select group drop-down list. Click Upload preconnect script. connect and disconnect scripts which can carry out custom commands before or after a VPN comes up or goes down. 2 From the Select group drop-down list. 5 Repeat the steps above to upload connect and disconnect scripts as required. 2 In the Select group area. in the Custom client scripts area beside the Upload Preconnect Script text box. or.

Making the SSL VPN Client Archive Available on page 85. save the file in a suitable location. configure the SSL VPN settings. 5 Repeat the steps above to remove connect and disconnect scripts as required. you can generate the archive now. Note: The same archive can be used for both internal and external use. select the interface on which to deploy the SSL VPN. For more information. Advanced Firewall generates an archive containing the client software and the VPN settings required. optionally. For more information. Generating SSL VPN Archives You can generate an archive of the SSL VPN settings which can be distributed to users. 3 Click Generate client archive. You can use the Advanced Firewall portal to distribute the archive. Configuring SSL VPN on Internal Networks Advanced Firewall’s SSL VPN functionality can be deployed to secure internal wireless interfaces. in the Custom client scripts area beside the Upload Preconnect Script text box. Advanced Firewall generates an archive containing the client software and the VPN settings required. 4 Once saved. 3 If you want to include scripts in the archive. You can use the Advanced Firewall portal to distribute the archive. See Configuring and Connecting Clients on page 166 for information on how to install the SSL VPN software on clients. save the file in a suitable location. When Advanced Firewall prompts you. See Configuring SSL VPN on Internal Networks on page 165 for more information on internal use.Smoothwall Advanced Firewall Administrator’s Guide 3 To remove a preconnect script. 165 . see Chapter 8. Archives can contain SSL VPN settings and. See Configuring VPN with SSL on page 162 for more information on external use. Click Generate client archive. Note: An archive can be used for both internal and external use. custom client scripts. For information on how. 2 Click Advanced and. distribute the archive to users who require secure access to the internal wireless interface. 4 Advanced Firewall removes the script and displays a message confirming a successful removal. browse to the VPN > VPN > SSL roadwarriors page and configure the scripts. click Remove preconnect script. 4 Click Generate client archive. distribute the archive to those users who will be using SSL VPNing. configure the SSL VPN settings. see Managing Custom Client Scripts for SSL VPNs on page 164. Making the SSL VPN Client Archive Available on page 85. see Configuring VPN with SSL on page 162. To configure SSL VPN on an internal network: 1 On the VPN > VPN > Global page. see Chapter 8. 2 If you do not want to include custom scripts in the archive. see Configuring VPN with SSL on page 162. For information on how. in the Additional SSL VPN client internal interfaces area. When Advanced Firewall prompts you. 5 Once saved. See step 4 for what to do next. To generate an SSL client archive: 1 On the VPN > VPN > Global page. Advanced Firewall generates an archive containing the client software and the VPN settings required and prompts you to save the file in a suitable location.

166 .Virtual Private Networking Managing SSL Road Warriors Configuring and Connecting Clients The following sections explain how to install the SSL VPN client software. The following screen opens: 2 Click Next to continue. The following screen opens: 3 Read the license and click I agree to continue. to a suitable location and double-click on Smoothwall-SSL-OpenVPN-client.exe to start the installation wizard. and connect using an SSL VPN connection. see Configuring VPN with SSL on page 162. Installing the Software To install the SSL VPN client software: 1 Extract the client archive.

The following screen opens: 6 Click Continue Anyway.Smoothwall Advanced Firewall Administrator’s Guide The following screen opens: 4 Accept the default components and click Next to continue. 167 . Click Install to continue. The following screen opens: 5 Accept the default destination folder or click Browse to select a different destination.

Password Enter the password belonging to the account. right click on OpenVPN GUI and select Connect. . Opening an SSL VPN Connection To open an SSL VPN connection: 1 In the system tray. The following dialog box is displayed: 2 Configure the following settings: 168 Setting Description Username Enter the name of the user account to be used.Virtual Private Networking Managing SSL Road Warriors The following screen opens: 7 Click Next to continue. The following screen opens: 8 Click Finish to complete the installation.

Smoothwall Advanced Firewall
Administrator’s Guide
3

Click OK. The SSL VPN connection is opened.

Closing an SSL VPN Connection
To close an SSL VPN connection:
1

In the system tray, right click on OpenVPN GUI and select Disconnect.

VPN Zone Bridging
In order to permit or deny inbound and outbound access to and from a site-to-site VPN tunnel,
ensure that appropriate zone bridging rules are configured.
L2TP road warriors and SSL VPNs require zone bridging rules that bridge the interface. IPSec road
warriors also require zone bridging rules, and share their zone bridging configuration with IPSec
subnets. For more information, see Chapter 6, Configuring Inter-Zone Security on page 59.

Secure Internal Networking
This part of the manual explains how Advanced Firewall can be used to provide secure internal
networking using VPN technology.
An internal VPN capability can be useful in many situations, a few examples of typical scenarios are
given below:

Secure wireless access – Commonly used wireless access protocols offer relatively weak levels of
security, thus allowing potential intruders to directly access and intercept confidential data on an
organization’s internal network. Advanced Firewall can ensure secure wireless access by providing
an additional interface as an internal VPN gateway. By attaching a wireless access point to this
interface, wireless clients can connect and create a secure tunnel to the desired internal network.
Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access
to any network resource.

Hidden network access – It is possible to create a hidden network that can only be accessed via a
secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed
by an exclusively authenticated member of staff. To do this, create a network that is not bridged to
any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the
hidden network.
There is no complicated configuration process for creating such internal VPNs, the facility is provided
by globally nominating an internal VPN interface and creating tunnels specifying it as its interface.

Creating an Internal L2TP VPN
To create an internal L2TP VPN connection:
1

Navigate to the VPN > VPN > Global page.

2

In the L2TP settings area, from the L2TP client internal interface drop-down list, choose an
internal network interface.

3

Optionally, click Advanced and configure the following settings:
Setting

Description

Enable NATTraversal

NAT-T is enabled by default and allows IPSec clients to connect from behind
NATing devices.
In some advanced and unusual situations, however, this feature may prevent
connections, therefore, NAT-T can be disabled.

169

Virtual Private Networking
Secure Internal Networking

Setting

Description

Enable Dead
Peer Detection

Used to activate a keep-alive mechanism on tunnels that support it.
This setting, commonly abbreviated to DPD, allows the VPN system to almost
instantly detect the failure of a tunnel and have it marked as Closed in the control
page.
If this feature is not used, it can take any time up to the re-keying interval
(typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec
implementations support this feature, it is not enabled by default.
In setups consisting exclusively of Advanced Firewall VPN gateways, it is
recommended that this feature is enabled.

Copy TOS (Type
Of Service) bits
in and out of
tunnels

When selected, TOS bits are copied into the tunnel from the outside as VPN
traffic is received, and conversely in the other direction. This makes it possible
to treat the TOS bits of traffic inside the network (such as IP phones) in traffic
shaping rules within Traffic and traffic shape them.
If this option is not selected, the TOS bits are hidden inside the encrypted tunnel
and it is not possible to traffic shape VPN traffic.
Note: There is a theoretical possibility that enabling this setting can be used to
spy on traffic

4

Click Save.

Note: We advise you to limit any zone bridging from the nominated interface to other interfaces.
Tunnels connecting to the nominated additional interface will be assigned an IP address on the L2TP
client internal interface, as shown in the L2TP settings region.
If a zone bridge is created between the additional nominated interface and the L2TP client interface,
it allows the VPN to be circumvented and thus limits its usefulness.
5

Create a certificate for the L2TP client. See Creating a Certificate on page 134.

6

Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings:
Setting

Description

Name

Enter a descriptive name for the tunnel.

Enabled

Select to activate the tunnel once it has been added.

Client IP

Enter a client IP address for this connection. The IP address must be a valid and
available IP on the globally specified internal network.

Username

Enter a username for this connection.

Password

Enter a password for the connection.

Again

Re-enter the password to confirm it.

Authenticate
by

To dedicate this connection to a specific user, choose the user’s certificate from
the drop-down list.
To allow any valid certificate holder to use this tunnel, choose Certificate
provided by peer option.
If your organization anticipates supporting many road warrior connections,
authenticating by a specific certificate is recommended for ease of
management.

L2TP client OS From the drop-down list, select the L2TP client's OS.
Comment
7
170

Enter a descriptive comment.

Click Advanced and, from the Local certificate drop-down list, select Default.

Smoothwall Advanced Firewall
Administrator’s Guide
8

Click Add. Advanced Firewall lists the tunnel in the Current tunnels area.
To configure client access to the L2TP tunnel, see Installing an L2TP Client on page 158.

Advanced VPN Configuration
The following sections explain how and when you might want to use non-standard configurations of
CAs, certificates and tunnel definitions to:

Allow sites to autonomously manage their own road warriors

Create VPN links between co-operating organizations

Create VPN hubs that link networks of networks.

Multiple Local Certificates
In some instances, it may be desirable to install multiple local certificates that are used to identify the
same host. There are a number of situations, where this might be desirable:

Autonomous management of road warrior tunnels from multiple sites.

Autonomous management of site-to-site tunnels from multiple sites.
Multiple local certificates are typically used to de-centralize VPN management in larger networks. For
instance, a VPN could be used to create a WAN (Wide Area Network) between three head offices of
an multinational company. Each head office must be responsible for its own VPN links that connect
its regional branches to its head office, as otherwise there would be a reliance on a single set of
administrators in one country / time zone preparing certificates for the entire organization.
Using the above example, each head office VPN gateway could utilize two local IDs (certificates):

Country head office ID – This ID would be used by a head office to identify itself to head offices from
other countries, to form VPN tunnels that make up the international WAN.

Head office ID – This ID would be used by a head office to identify itself to other domestic offices, so
that it can manage VPN tunnel connectivity within its own region.
The same concept can be applied to any situation where autonomous VPN management is required.
To continue the above example, many of the offices within one particular country require a number
of road warrior users to connect to their local networks. In this instance, a branch office VPN gateway
could utilize two local IDs (certificates):

Regional branch office ID – This ID would be used by a branch office to identify itself to the head office
and other branch offices that make up the country-wide WAN.

Branch office ID – This ID would be used by a branch office to identify itself to its local road warriors,
so that it can manage road warrior connectivity to its own branch.

Creating Multiple Local Certificates
This example will demonstrate how to delegate VPN management from an unconfigured master
Advanced Firewall system to an unconfigured secondary Advanced Firewall system. The secondary
Advanced Firewall system will be responsible for managing site-to-site and road warrior connections
within its own geography.
Firstly, we must create a tunnel to link the master Advanced Firewall to the secondary Advanced
Firewall.
Since this example covers configuration from scratch, you must follow the instructions from the step
most appropriate to your current level of VPN connectivity.
1

On the master system, navigate to the VPN > VPN > Certificate authorities page.

2

Create a local Certificate Authority, see Creating a CA on page 131.

171

Virtual Private Networking
Advanced VPN Configuration
3

Create signed certificates for the master and secondary Advanced Firewall systems, see Managing
Certificates on page 134.

4

Install the master signed certificate as the master Advanced Firewall's default local certificate, see
Setting the Default Local Certificate on page 137.

5

Create the tunnel specification to the secondary Advanced Firewall system, see Site-to-Site VPNs –
IPSec on page 138.

6

Export the secondary Advanced Firewall's signed certificate using the PKCS#12 format, see
Exporting Certificates on page 135.

7

Export the master Advanced Firewall's CA certificate in PEM format, see Exporting the CA Certificate
on page 132.
The remaining series of configuration steps are all carried out on the secondary Advanced Firewall
system, firstly to create the primary site-to-site link.
To create the primary site-to-site link:

1

On the secondary system, navigate to the VPN > VPN > Certificate authorities page.

2

Import the CA certificate on the secondary Advanced Firewall, see Importing Another CA's Certificate
on page 133.

3

Import the signed certificate on the secondary Advanced Firewall system, see Importing a Certificate
on page 136.

4

Install the signed certificate as the default local certificate, see Setting the Default Local Certificate on
page 137.

5

Create the tunnel specification to the master Advanced Firewall system, with Local certificate set to
Default see Site-to-Site VPNs – IPSec on page 138.

6

Test the VPN connection.
The next step is to create an additional CA on the secondary Advanced Firewall system. This
additional CA will be used to create another local certificate for the secondary Advanced Firewall
system, as well as certificates for any further site-to-site or road warrior connections that it will be
responsible for managing.
To create an additional CA on the secondary Advanced Firewall system:

1

On the secondary system, navigate to the VPN > VPN > Certificate authorities page.

2

Create a new local Certificate Authority, see Creating a CA on page 131.

3

Create a new signed certificate for the secondary Advanced Firewall system (this will be used as the
secondary Advanced Firewall's second local certificate, see Creating a Certificate on page 134.

4

Create a new signed certificate for any host whose VPN connectivity will be managed by the
secondary Advanced Firewall system.

5

Create a site-to-site or road warrior tunnel specification, and choose the second signed certificate
(created by the previous step) as the Local certificate.

6

Export the local CA and signed certificate created by step 4 to any host whose VPN connectivity will
be managed by the secondary Advanced Firewall system.

7

Create the remote tunnel specification (this could be a road warrior client or another site-to-site
gateway).

Public Key Authentication
It is possible to authenticate a VPN tunnel by exchanging each host's public key with the other.
During authentication, each host uses the other host's public key to decrypt the (private key
encrypted) certificate it will be passed as identity credentials.
This configuration does not require the CA that created either host's certificate to be known to either
VPN gateway. This can be useful in many ways:

172

Simplified internal management, using certificates created by an external Certificate Authority.

Smoothwall Advanced Firewall
Administrator’s Guide

Tunnelling between two separate organizations using certificates created by different (possibly
external) CAs.

Alternative scheme to allow both ends of the tunnel to create their own CA and default local
certificates. This would enable each VPN gateway to manage their own site-to-site and road warrior
connections. This achieves the same result as the previous technique described in the Multiple local
certificates section.

Note: The use of public key authentication should not be considered as a direct replacement for a stringent
X509 based authentication setup. While public key authentication does use some of the same
technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As
such, appropriate precautions should be taken when considering implementing this alternative
authentication method.

Configuring Both Ends of a Tunnel as CAs
This configuration example uses public key authentication to connect two Advanced Firewall
systems, each with their own CA so that they can manage their own site-to-site and road warrior
connections.
The following assumptions have been made:

Two Advanced Firewall systems.

Each Advanced Firewall has its own CA.

Each CA has created a signed certificate for its own local Advanced Firewall system.
To create the tunnel specifications:

1

On both systems, navigate to the VPN > VPN > Certificates page.

2

Export the local certificates from both Advanced Firewall systems using the PEM format, see
Exporting Certificates on page 135.

3

Import each PEM certificate on the opposite Advanced Firewall system, see Importing a Certificate
on page 136.

4

Create an IPSec site-to-site tunnel specification on the first Advanced Firewall system, and select the
second Advanced Firewall system's host certificate in the Authenticate by drop-down list.

5

Create an IPSec site-to-site tunnel specification on the second Advanced Firewall system, and select
the first Advanced Firewall system's host certificate in the Authenticate by drop-down list.
The tunnel can now be established and authenticated between the two Advanced Firewall systems.
In addition, each Advanced Firewall system is able to autonomously manage its own site-to-site and
road warrior connections by using its own CA to create additional certificates.

VPNs between Business Partners
To create a VPN between two separate organizations (such as two firms working together as
partners), it is most likely that an IPSec tunnel will be required. This may be to a non-Advanced
Firewall system, so a degree of co-ordination will be required to decide upon a compatible tunnel
specification.
This example uses certificates created by an external, commercial CA so that each organization can
authenticate certificates presented by the other using a CA that is independent of both organizations.
This configuration example assumes the following:

Local Advanced Firewall system.

Host certificates created by the same commercial CA.

Host certificate, Certificate A created by the commercial CA for the Advanced Firewall system.

Host certificate, Certificate B created by the commercial CA for the other organization’s VN gateway.
173

Virtual Private Networking
Advanced VPN Configuration
Firstly, import the certificate created for the local Advanced Firewall system (Certificate A).
To import the certificate:
1

On the local system, navigate to the VPN > VPN > Certificates page.

2

Import Certificate A, see Importing a Certificate on page 136.
Next, import the commercial CA's certificate:

1

On the system, navigate to the VPN > VPN > Certificates page.

2

Import the CA's certificate according to the file format it was supplied in, see Importing Another CA's
Certificate on page 133.
Next, configure the local tunnel specification in co-operation with the other organization. This is most
likely to be an IPSec site-to-site connection, though it is possible that you could connect to their
network as a road warrior. In either case, full consultation between both organizations is required to
decide on the configuration options to be used on the respective VPN gateways.
Follow these steps to create a site-to-site connection:

1

Connect to Advanced Firewall on the Advanced Firewall system and navigate to the VPN > VPN >
IPSec subnets page.

2

In the local tunnel specification, choose Default local cert subject or Default local cert subject
alt.name from the Local ID type drop-down list. However, it may be necessary to use user specified
values if the other VPN gateway is not directly compatible with Advanced Firewall's communication
of certificate subjects.

3

Choose Certificate A from the Local certificate drop-down list to ensure that this tunnel overrides any
default local certificate that might be configured.

4

Choose Certificate provided by peer from the Authenticate by drop-down list. This will ensure that
Advanced Firewall will authenticate Certificate B when is presented by the other organization’s VPN
gateway.

5

Choose the remote ID type from the Remote ID type drop-down list that was entered during the
creation of Certificate B using the commercial CA.

6

Confer with the other organization regarding all other configuration settings and ensure that they
authenticate the tunnel using the CA's certificate and Certificate A as provided by Advanced Firewall
as connection time.

Extended Site to Site Routing
A useful feature of Advanced Firewall is its ability to use the VPN as a means of linking multiple
networks together by creating a centralized VPN hub. The hub is used to route traffic to between
different networks and subnets by manipulation of the local and remote network settings in each
tunnel specification.
This potentially allows every network to be linked to every other network without the need for a fully
routed network of VPN tunnels, i.e. a tunnel from every site to every other site. A fully routed network
can be awkward to configure and maintain.
This configuration example assumes the following:

Site A – Local network: 192.168.10.0/255.255.255.0 – Tunnel A connects to Site B.

Site B – Local network: 192.168.20.0/255.255.255.0 – Tunnel A connects to Site A, Tunnel
C connects to Site C.

Site C – Local network: 192.168.30.0/255.255.255.0 – Tunnel C connects to Site B.
The advantage of this approach is that only one tunnel is required for each remote network. The
disadvantage is that the central VPN gateway is now routing traffic not destined for it, thus it requires
additional resources for its bandwidth. Also, the central VPN creates a single point of failure in the
network. An improved approach would incorporate backup tunnel definitions that could be used to
create a fail-over VPN hub elsewhere on the network.

174

Smoothwall Advanced Firewall
Administrator’s Guide

Site A Tunnel Definition
A definition for Tunnel A (connecting Site A to Site B) is required. Use the following local and remote
network settings:

Local network – 192.168.10.0/255.255.255.0

Remote network – 192.168.0.0/255.255.0.0
With this configuration, any traffic destined for the Site B network (any address in the range
192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the
definition of the remote end of Tunnel A.
Any traffic destined for the Site C network (any address in the range 192.168.30.0 to
192.168.30.255) will also be routed to Site B, as this range also falls within the definition of the
remote end of Tunnel A. However, this traffic still needs to be forwarded to Site C to reach its
destination – Tunnel C from Site B will ensure this.

Site B Tunnel Definitions
First, a definition for Tunnel A (connecting Site B to Site A) is required. Use the following local and
remote network settings:

Local network – 192.168.0.0/255.255.0.0

Remote network – 192.168.10.0/255.255.255.0
With this configuration, any traffic destined for the Site A network (any address in the range
192.168.10.0 to 192.168.10.255) will be routed to Site A, as this range falls within the
definition of the remote end of Tunnel A.
Next, a definition for Tunnel C (connecting Site B to Site C) is required. Use the following local and
remote network settings:

Local network – 192.168.0.0/255.255.0.0

Remote network – 192.168.30.0/255.255.255.0
With this configuration, any traffic destined for the Site C network (any address in the range
192.168.30.0 to 192.168.30.255) will be routed to Site C, as this range falls within the
definition of the remote end of Tunnel C.

Site C tunnel definition
A definition for Tunnel C (connecting Site C to Site B) is required. Use the following local and remote
network settings:

Local network – 192.168.30.0/255.255.255.0

Remote network – 192.168.0.0/255.255.0.0
With this configuration, any traffic destined for the Site B network (any address in the range
192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the
definition of the remote end of Tunnel C.
Any traffic destined for the Site A network (any address in the range 192.168.10.0 to
192.168.10.255) will also be routed to Site B, as this range also falls within the definition of the
remote end of Tunnel C. However, this traffic still needs to be forwarded to Site A to reach its
destination – Tunnel A from Site B will ensure this.

Managing VPN Systems
The following sections document how to:

Control VPNs

Open and close tunnels

Monitor and report tunnel activity
175

stop and view the status of the VPN system. restart. 2 In the Automatic control area. To configure automatic start up: 1 Navigate to the VPN > VPN > Control page. Automatically Starting the VPN System Advanced Firewall’s VPN system can be set to automatically start when the system is booted. 2 Click Restart in the Manual control region. Manually Controlling the VPN System The following sections explains how to start. It also allows site-to-site tunnels that are initiated on the Advanced Firewall system to automatically negotiate a site-to-site connection.Virtual Private Networking Managing VPN Systems • Display tunnel logging information • Update tunnel licensing. This allows road warriors to tunnel in without having to wait for the system to be started. 176 . Starting/Restarting the VPN system To start or restart the VPN system: 1 Navigate to the VPN > VPN > Control page. 3 Click Save. select Start VPN sub-system automatically.

Viewing and Controlling Tunnels All configured tunnels can be viewed and controlled from the VPN > VPN > Control page. There are two possible tunnel statuses: • Open – The tunnel is connected. The information displayed is: • Name – The name given to the tunnel. Viewing the VPN system status To view the VPN system status: 1 Navigate to the VPN > VPN > Control page. • Closed – The tunnel is not connected. no tunnels can be connected.Smoothwall Advanced Firewall Administrator’s Guide Stopping the VPN system To stop the VPN system: 1 Navigate to the VPN > VPN > Control page. tunnels can be connected. • Stopped – The VPN system is not currently operational. • Control: 177 . L2TP Road Warriors L2TP road warrior connections are shown in the L2TP Road Warriors region of the VPN > VPN > Control page. The information displayed is: • Name – The name given to the tunnel. • Control: • Up – Open the tunnel connection • Down – Close the tunnel connection. • Remote IP – The IP address of the other end of the tunnel. There are two possible system statuses: • Running – The VPN system is currently operational. IPSec Subnets Site-to-site IPSec subnet connections are shown in the IPSec subnets region of the VPN > VPN > Control page. 3 View the current status from the Current status information field. • Internal IP – The IP address of the local tunnel end. • Control: • Up – Open the tunnel connection • Down – Close the tunnel connection. IPSec Road Warriors IPSec road warrior connections are shown in the IPSec road warriors region of the VPN > VPN > Control page. • Remote IP – The IP address of the other end of the tunnel. 2 Click Stop from the Manual control region. 2 Click Refresh in the Manual control region. The information displayed is: • Name – The name given to the tunnel. communication across the tunnel can be made. no communication across the tunnel can be made.

This is the easiest to setup. The examples build on each other. • Internal IP – The IP address of the local tunnel end.The following networks are to be routed together via a VPN tunnel: We will use Preshared Key authentication initially.e.Virtual Private Networking VPN Tutorials • Up – Open the tunnel connection • Down – Close the tunnel connection. The information displayed is: • Username – The name given to the tunnel. . • Internal IP – The IP address of the local tunnel end. • Control • Up – Open the tunnel connection • Down – Close the tunnel connection. the configuration settings in an example builds on that of the previous. i. SSL Road Warriors SSL road warrior connections are shown in the SSL Road Warriors region of the VPN > VPN > Control page. VPN Tutorials The following tutorials cover the creation of the main types of VPN tunnels. • External IP – The IP address of the other end of the tunnel. This tunnel we call Tunnel 1. Configuring Network A There is no need for a CA or any certificates. leave it at its default value: 178 Parameter Description Name Tunnel 1 Local network Set to the opposite end’s remote network value. VPN Logging VPN log entries can be found in the Logs and reports > Logs > IPSec page. Where a parameter is not listed. Example 1: Preshared Key Authentication This first example begins with a simple two network VPN using shared secrets. On the Create a tunnel with the following characteristics.

179 .0/24 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Preshared Key Preshared Key loudspeaker Preshared Key again loudspeaker Creating a Zone Bridge In order for traffic to flow down the tunnel.0.168. Note: When configuring multiple PSK-based tunnels.0/24 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Preshared Key Preshared Key loudspeaker Preshared Key again loudspeaker All other settings can be left at their defaults. the tunnels should come up immediately.Smoothwall Advanced Firewall Administrator’s Guide Parameter Description Local ID type Local IP Remote IP or hostname 200. If you want traffic to flow in both directions.168. create a zone bridge between the local network and the IPSec interface. Troubleshooting VPNs on page 331. make the rule bidirectional. Local ID type Local IP Remote IP or hostname 100. If this does not happen please refer to Appendix C. To create the zone bridge: 1 On the Networking > Filtering > Zone bridging page. Testing Restart the VPN system on both ends. see Chapter 6. you must create a zone bridge.12. Configuring Inter-Zone Security on page 59.0. use the User specified IP address as the remote system ID type and the remote system external IP in the Remote system ID Value. To actually test that the VPN is routing.1 Remote network 192.0. You should also be able to connect to servers and desktops on the remote network using your standard tools.0. Configuring Network B Here a single tunnel is created: Parameter Description Name Tunnel 1 Local network Set to the opposite end’s remote network value. For more information. ping a host on the remote network from a machine on the local one. Because both ends are set as initiators.1 Remote network 192.0.

and create the local certificate. Configuring Network A Network A will be configured to be the Certificate Authority in the system. the same network as used in Example 1 will be used. Choose the Network A Local Cert certificate to be the Default local certificate. We will call this file ca. This time we will improve the setup by using x509 authentication instead of PSK.Virtual Private Networking VPN Tutorials Example 2: X509 Authentication In this example. we will enter My Company Ltd in all Organization fields on the certificates we create. You will need to enter the passphrase to encrypt this certificate with. It requires ID information: Parameter Description ID Type Host & Domain name ID Value tunnela.mycompany. see Example 1: Preshared Key Authentication on page 178. In this example. You will need this file later.pem. and press Save. Next you should export this certificate in PEM format. We will Restart the VPN shortly to make this change active. You should. and then export the Network B Cert certificate in PKCS#12 format. enter it in both boxes.com Common Name Network B Cert Organization My Company Ltd Create both certificates.p12.com Common Name Network A Local Cert The peer (the Network B machine) needs a certificate too: Parameter Description ID Type Host & Domain name ID Value tunnelb.mycompany. we will list only the required fields. 180 . Begin by going to the Authorities page and setting up the CA. Switch to the certificates page. of course. Now onto the tunnels page. enter values appropriate to your organization: Parameter Description Common Name Network A Cert Auth Organization My Company Ltd From now on. and save it on the local workstation’s hard disk. We will call this file tunnelb.

Local ID type Default local cert subject alt. name Remote IP or hostname 200.0/24 Remote ID type Host & Domain name Remote ID value tunnelb. If you want traffic to flow in both directions.0.0/24 Remote ID type Host & Domain name Remote ID value tunnel. To import the certificates: 1 On the Certificate authorities page. name Remote IP or hostname 100.0. Configuring Inter-Zone Security on page 59. 3 Chose the certificate. For more information. Network B Cert as the Default local certificate and click Save. If the tunnel fails to come up. import the tunnelb.0. Testing As before. make the rule bi-directional. restart both ends of the tunnel.168. 2 On to the certificates page. Examine the log for telltale messages.1 Remote network 192.1 Remote network 192. 181 . Remember to input the passphrase used to create the export file in both boxes.Smoothwall Advanced Firewall Administrator’s Guide The tunnel specification is a little more complex.pem file.0. The ID is the same as the Certificate ID.com Authenticate by Certificate presented by peer Add the tunnel.com Authenticate by Certificate presented by peer Creating a Zone Bridge In order for traffic to flow down the tunnel. Local ID type Default local cert subject alt. the most likely cause is a mismatch of IDs. Configuring Network B The first step is to import the certificates.p12 file you created earlier. The tunnel configuration should look like this: Parameter Description Name Tunnel 1 Local network Set to the opposite end's remote network value. On the Networking > Filtering > Zone bridging page. Here it is: Parameter Description Name Tunnel 1 Local network Set to the opposite end's remote network value.12.mycompany.168. create a zone bridge between the local network and the IPSec interface.0. you must create a zone bridge. see Chapter 6. Check the IDs in the certificates by clicking on them in the certificate page.mycompany. import the ca.

0. Network C to the VPN network.0.0/16 Local ID type Default local cert subject alt. We set the following properties for this certificate: Parameter Description ID Type Host & Domain name ID Value tunnelc.com Common Name Advanced Firewall C Cert Organization My Company Ltd Modify the existing tunnel to Network B.1 Remote network 192.0. and vice versa. Now we create a new tunnel to Advanced Firewall C: 182 Parameter Description Name Tunnel 2 Local subnet 192.13. we explained how to create centralized VPN hubs using extended subnetting. We will use this technique to allow Network B to route to Network C. In Extended Site to Site Routing on page 174.0/16 Notice how this subnet mask now covers all subnets in the VPN. and export it as a PKCS#12 file. Network A Configuration Create a new certificate for the new peer. All settings are unchanged except: Parameter Description Local subnet 192.0/24 .mycompany.0.168.168. We want Network C to be able to access both the Network A subnet and Network B.Virtual Private Networking VPN Tutorials Example 3: Two Tunnels and Certificate Authentication We will now add an additional system. name Remote IP or hostname 250.168.

mycompany. Configuring Inter-Zone Security on page 59.168. see Chapter 6. running SafeNet SoftRemote.0. If you want traffic to flow in both directions. and then create the tunnel to Network A: Parameter Description Name Tunnel 2 Local ID type Default local cert subject alt. the road warrior will be able to access Network B and Network C as well. On the Networking > Filtering > Zone bridging page. In addition to being able to access the Network A local network (192.Smoothwall Advanced Firewall Administrator’s Guide Parameter Description Remote ID type Host & Domain name Remote ID value tunnelc.168. create a zone bridge between the local network and the IPSec interface.0/16 Network C Configuration Import the certificate. Testing Test in the same way as before. Then you should test that you can route across Network A by pinging a host on the Network C network from the Network B network.com Authenticate by Certificate presented by peer Network B Configuration Modify the tunnel as follows: Parameter Description Remote subnet 192.1 Remote network 192.0/24). name Remote IP or hostname 100. 183 .0. For more information.0. you should test by pinging a machine on the Network A end from both of the Network B and Network C networks.com Authenticate by Certificate presented by peer Creating a Zone Bridge In order for traffic to flow down the tunnel. you must create a zone bridge.0. make the rule bi-directional. Example 4: IPSec Road Warrior Connection Now we will add a road warrior.mycompany. After bringing up both tunnels. This road warrior will connect to the Network A gateway.168.0/16 Remote ID type Host & Domain name Remote ID value tunnela.0.

184 .168. in this case: 192.0. We will call this file computercert.0/16 Local ID type Default local cert subject Client IP 192.Virtual Private Networking VPN Tutorials The road warrior is required to assume an internal IP on Network A’s local network.168.168.pem.You will also need the CA file.5: Network A Configuration Create a certificate with the following properties: Parameter Description Common Name IPSec road warrior Organization My Company Ltd Note: No ID is required on this certificate.0. Now create the IPSec road warrior tunnel: Parameter Description Name IPSec road warrior Local network 192.p12.0.5 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Certificate provided by peer Export the certificate in PKCS#12 format. ca.

begin by going to the Certificate Manager and importing the ca.0 In My Identity: Parameter Description Internal Network IP Address 192.p12 certificate.Smoothwall Advanced Firewall Administrator’s Guide SoftRemote – Configuration This tutorial describes setting up the client using a policy template as a shortcut to getting the connection up and running. In road warrior: Parameter Description Gateway IP Address 100. For more information. Configuring Inter-Zone Security on page 59.0 Mask 255. compression for example. Testing To bring up the connection. Also. which is on the installation CD. make the rule bidirectional. After installing the client.0.168. 185 . you should be able to connect to all three. then you will have to modify those settings. you should see the task bar icon change to show a yellow key. the simplest way is to ping a host on the network behind the gateway. import the template policy. In the Security Policy Editor. create a zone bridge between the local network and the IPSec interface. a machine on the local network can connect to the road warrior.168. because the tunnel covers all three local networks. and so on. Full details. If you use different settings to those described in this tutorial. This indicates that the tunnel is up. This works both ways. policytemplate. remember to save the Security Policy. and will save a lot of time configuring the client.0.spd. After a few retries. The following fields need to be filled in after importing the policy template.1 Subnet 192.0. This policy file contains most of the input fields pre-filled with suitable defaults. On the Networking > Filtering > Zone bridging page.0. see Chapter 6. Your client computer will then appear to be connected to the local network behind the VPN gateway.255.0.5 After making the changes. are given in Working with SafeNet SoftRemote on page 187.pem and the computercert. If you want traffic to flow in both directions. including detailed screen shots. You should be able to browse web servers. Creating a Zone Bridge In order for traffic to flow down the tunnel. you must create a zone bridge.

We will call this file computercert.0. see Installing an L2TP Client on page 158. You will also need the CA file.pem.6 Username road warrior Password microphone Export the certificate in PKCS#12 format.Virtual Private Networking VPN Tutorials Example 5: L2TP Road Warrior This example consists of an additional road warrior client.168. For detailed instructions. 186 . L2TP Client Configuration This tutorial only outlines the process of configuring an L2TP client.p12. Network A Configuration Create a certificate with the following properties: Parameter Description Common Name L2TP road warrior Organization My Company Ltd Note: No ID is required on this certificate. this time running Microsoft Windows XP and using Microsoft’s L2TP road warrior client. ca. Now create the L2TP road warrior tunnel: Parameter Description Name L2TP road warrior Authenticate by Certificate provided by peer Client IP 192.

This includes the encryption settings. Set the Local ID type to Default local cert Subject. each road warrior gets an IP address in a specified local network zone. 100. It will be possible to route to other subnets. each road warrior client will. enter the username and password as configured on the Advanced Firewall A gateway: Parameter Description Username road warrior Password microphone Finally. the only details that must be configured is the VPN gateway external address. This also means that other machines in the network can see the client.0. or statically assigned machines such as servers. enabled by default. Then add the tunnel. When connected. you can choose to use the remote network as the default gateway for the L2TP client. Working with SafeNet SoftRemote The following sections are a configuration guide for connecting to the Advanced Firewall VPN gateway using SafeNet SoftRemote. see Chapter 6. you would choose a group of IP addresses outside of either the DHCP range. After bringing up the New Connection wizard. make the rule bi-directional. and set the Authenticate by setting to the certificate for this road warrior connection. although it does no harm to include one when creating the certificate. and overriding the default local certificate. just as if it was plugged in directly. 187 . be on the local network zone. This option. In the Connection dialog.0. create a zone bridge between the local network and the L2TP interface. In TCP/IP properties. press the Connect button to initiate a connection the Advanced Firewall A VPN gateway. to all intents and purposes. Configuring Inter-Zone Security on page 59. including VPN-connected ones. Each road warrior user will need their own IP address. Configuring IPSec Road Warriors First. Typically. you must create a zone bridge. is required if the client needs to be able to route to the Advanced Firewall B and Advanced Firewall C networks. On the Networking > Filtering > Zone bridging page. Creating a Zone Bridge In order for traffic to flow down the tunnel. so create as many tunnel as there are road warriors. The IP address should be a previously unused address and unique to the road warrior. Such an IP address must be in a local network zone and currently unused. Advanced settings. the Client IP field is used to input the particular local network IP address. Note: The same advanced options are available as used when configuring IPSec Subnet VPNs.1 in this example. When connected. If you want traffic to flow in both directions. create a signed certificate for the road warriors. For more information. Each road warrior requires their own tunnel.Smoothwall Advanced Firewall Administrator’s Guide Begin by using the L2TPWizard to import the two certificates. This is because the L2TP client does not provide any facilities for setting up remote network masks. On the VPN > VPN > IPSec roadwarrior page. An ID type is not normally required.

which can be found in the extras folder on the installation CD. In the road warrior section: 6 Enter the Remote Subnet. Select the certificate.e. After importing this policy. Open it. 188 . Older versions which support Virtual IP addresses should also inter-operate. named road warrior will become available.PEM from Advanced Firewall.P1. 4 Import the Security Policy template. create a connection in the Security Policy Editor. and click Verify (on the right). However. 1 After installation. you may use a Security Policy template. For completeness. i.Virtual Private Networking Working with SafeNet SoftRemote Using the Security Policy Template SoftRemote This documentation covers version both 9 and version 10 of this client. import a CA . we will also describe how you would setup the client without the policy. We also recommend that the LT versions of this software be used. and a short time later the certificate should appear in the list. version 8 is known to work as well as version 9. a single connection. This indicates the certificate is valid. In the Root CA’s tab. Specifically. You should get a message saying the certificate is valid (because the CA certificate is installed) but lacks a CRL (Certificate Revocation List). import a . Enter the export password. 2 In the My Certificates tab. To make configuration of this client easier. you should consider upgrading to at least version 9 because of known securityrelated problems with version 8. only a handful of settings must be entered.spd. saving you from the chore of doing it yourself. policytemplate. those described above. Check the log messages in the client to see if NAT-T mode is being used as expected. open the Certificate Manager. that will pre-fill most of the settings to suitable values. NAT-T is handled automatically by this client. which do not incorporate Zone Alarm. 5 Assuming the Advanced Firewall gateway is using the standard settings for its road warrior clients. Configuration of Zone Alarm will not be covered in this manual. 3 Next. Mask and the gateway’s hostname (or IP address). No extra configuration is required.

then you will have to modify those particular settings. 9 Save the settings. All other fields will be pre-filled. like road warrior. and close the Security Policy Editor. In this node. After a series of Request timed out messages you should start to get packets back.Smoothwall Advanced Firewall Administrator’s Guide 7 In the My Identity section. The easiest way to do this is by pinging a host on the remote network. then you will have to enable it in the client. enter the Internal Network IP Address. 189 . Creating a Connection without the Policy File We will now describe how to setup the client without using the security policy template.1. 1 Select Global Policy Settings from the Options menu. 2 Now go back to the tree control on the left and choose the New Connection node. and you should tick the box marked Allow to specify internal network address. as described in D. Before creating the connection. 10 To bring up the connection to the Advanced Firewall gateway. you must activate a special feature within the client which allows you to specify a local network zone IP address for the client to take when it connects to the VPN gateway. You can rename this to something more appropriate.: 8 Enter the Internal Network IP Address. you must send it a packet. For instance. A window will appear. if you are not using standard settings. Obviously. configure the remote Subnet address and Mask. if you are using compression. indicating that the VPN is up (you will also notice the system tray icon change).

will suffice. This time period has to be less then the equivalent setting in the Advanced Firewall. which defaults to 60 minutes (3600 seconds). 5 In the Internal network IP. the Distinguished Name. You should then enter either a Gateway IP Address or Gateway Hostname. enter the local network zone IP address (the Client IP) that was specified when the tunnel was created. Virtual adapter should be disabled. 4 Next. and MD5 as the hashing algorithm. move to the My Identity node. another word for the subject of a certificate. and choose a SA Life of 3000 seconds.Virtual Private Networking Working with SafeNet SoftRemote 3 Choose Secure Gateway Tunnel from the Connect using drop-down list. The ID type’s default. Set the key group to 5. Select the certificate you imported earlier. and select an ID Type of Any. and Internet Interface set to Any. 6 Create a new Phase 1 security policy: Select 3DES encryption. This is 190 .

for example 192.168.10/32. as well as key life settings. In this page you can select compression or not. and again 3DES and MD5. especially if the client certificates are not installed onto the VPN gateway server. the selected certificate will be required by the client in order to obtain a connection. It is also possible to restrict (or extend) the hosts that the road warrior can access on the local network zone. 191 . then you could set the Local network parameter to 192. 8 Once again.Smoothwall Advanced Firewall Administrator’s Guide necessary to ensure the tunnel is always re-keyed. the Local network setting can likewise be expanded to cover them. Tick the ESP box.2. Note that this setting is a network address. Advanced Configuration Using the configuration previously described. 9 Test as before. in a tunnel. 7 Finally create a Phase 2 security policy. This method is usually desired. by initiating a connection to a host on the Remote Network.168. set the SA Life to 3000 seconds. but in other cases an Authenticate by setting of Certificate provided by peer can be more useful.2. For example. If the VPN server the road warrior connects to is routed onto other networks such as subnet VPNs or other local network zones. even if that network mask covers only a single host. Visit the support portal and knowledge base for information on setting up other clients. so you must always specify a network mask.10. This is done by adjusting the Local network parameter in the tunnel configuration. Diagnostic logs are available through the tool bar icon. if you wish to restrict the connected road warriors so that they can only contact a specific IP address.

Virtual Private Networking Working with SafeNet SoftRemote 192 .

To configure log-in and logging settings: 1 Navigate to the Services > Authentication > Settings page. 193 . the number of concurrent login sessions allowed and the type of authentication logging you require.Chapter 10 Authentication and User Management In this chapter: • Configuring global authentication settings • Working with directory servers • Managing groups of users • Managing temporarily banned users • Viewing user activity • About SSL login • Managing Kerberos keytabs • Using WPA Enterprise Configuring Global Authentication Settings Configuring global authentication settings entails setting login timeout.

Accept the default or enter the time out period. It also increase the rate of re-authentication requests. The following options are available: Logging level Logging levels determine the type of authentication logging you want. Tip: Encourage users to pro-actively log-out of the system to ensure that other users of their workstation cannot assume their privileges if login time-out is yet to occur.Authentication and User Management About Directory Servers 2 Configure the following settings: Setting Description Login timeout (minutes) Determines the length of time of inactivity after which a user is logged out. About the Login Time-out on page 302. response and result information. Setting a long login timeout may enable unauthorized users to access the network if users leave computers without actively logging out. Normal – Select this option to log user login and LDAP server information. particularly when using transparent NTLM or SSL Login. When the groups have been mapped. Advanced Firewall retrieves a list of the groups configured in the directory and maps them to the groups available in Advanced Firewall. Note: Setting a short login timeout increases the load on the machine. 3 Click Save changes. For example. Verbose – Select this option to log user login and LDAP server information. About Directory Servers The Advanced Firewall authentication service is designed to enable Advanced Firewall to connect to multiple directory servers in order to: • Retrieve groups configured in directories and apply network and web filtering permissions to users based on group membership within directories • Verify the identity of a user who is trying to access network or Internet resources. permissions and network access permissions in the filtering and outgoing sections can be granted on the basis of group membership. Concurrent login sessions (per user) Concurrent login settings determine how many logins are allowed per user. see Appendix A. request. Advanced Firewall applies the changes. For more information. the SSL Login refresh rate will update to ensure that authenticated users do not time-out. Once the connection to a directory service has been configured. The behavior of some authentication mechanisms is automatically adjusted by the time-out period. The following options are available: No limit – Select this option to allow an unlimited number of logins per user or enter the number of logins you want to allow users. 194 . This option is useful when troubleshooting possible authentication issues.

Smoothwall Advanced Firewall Administrator’s Guide For information on how authentication works and interacts with other systems. See Chapter 13. choose or configure a non-privileged user account to use for joining the domain. choose Delegate Control on the Computers container. create and delete privileges. Advanced Firewall supports the following directory servers: Directory Description Microsoft Active Directory Microsoft’s Active Directory. for Computer objects. create a custom task to delegate and. grant the full control. Novell eDirectory Apple/Open LDAP Various directories which support the LDAP protocol. for instance. 195 . For information on using the legacy method to connect to Active Directory. see Appendix A. For more information. Advanced Firewall and DNS on page 302. The account that you use needs permission to modify the Computers container. see Appendix A. This DNS server is used by Advanced Firewall for name lookups. Local users A directory of Advanced Firewall local users. Setting Time on page 269 for more information. see Configuring a RADIUS Connection on page 199. for more information. for more information. Configuring Directories The following sections explain how to configure Advanced Firewall for use with supported directory servers. DNS server containing the Active Directory information is specified correctly. Authentication on page 301. see Configuring a Microsoft Active Directory Connection on page 195. see Configuring a Local Users Directory on page 203. Note: We strongly recommend that you do not use an administrator account. for more information. for more information. see Configuring an LDAP Connection on page 196 389 Directory RADIUS Remote Authentication Dial In User Service. and optionally the secondary. when backing-up and replicating settings. Currently. check that the primary. To delegate these permissions to a non-privileged user account. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: • On the Networking > Interfaces > Interfaces page. see Configuring an Active Directory Connection – Legacy Method on page 200. Configuring a Microsoft Active Directory Connection The following sections explain the prerequisites for Microsoft Active Directory and how to configure Advanced Firewall to work with Microsoft Active Directory. • Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized using NTP. Advanced Firewall stores this account’s credentials. • In Active Directory.

Advanced Firewall adds the directory to its list of directories and establishes the connection. Apple/OpenLDAP Directory or 389 Directory and configure the following settings: 196 Setting Description Status Select Enabled to enable the connection. i. Managing Tenants on page 275. Note: Setting a short cache timeout increases the load on the directory server. Cache timeout (minutes) Click Advanced. until the cache timeout has been passed. To configure the connection: 1 On the Services > Authentication > Directories page. click Add new directory. Apple/ OpenLDAP or 389 directory server. For more information on tenants. Username Enter the username of the user account. select which tenant(s) use this directory. Other trusted domains will be accessible automatically. contact your Smoothwall representative. Domain Enter the full DNS domain name of the domain. Comment 3 Optionally. Password Enter the password for the user account. select one of the following: eDirectory. select Active Directory and configure the following settings: Setting Description Status Select Enabled to enable the connection. Tenants Optionally. Configuring an LDAP Connection The following section explains what is required to configure a connection to an eDirectory. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. enter a comment about the directory. Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. 2 In the Add new directory dialog box. Click Add.e. To configure an LDAP connection: 1 On the Services > Authentication > Directories page. Confirm Re-enter the password to confirm it. Setting a long cache timeout means that old passwords are valid for longer. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache. see Chapter 13. . Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. click Add new directory. 2 In the Add new directory dialog box.Authentication and User Management Configuring Directories Configuring an Active Directory Connection The following section explains what is required to configure a connection to Active Directory. For more information on licensing.

o=organization For Apple Open Directory.cn=users.ou=sales.o=organization This is what is referred to in the Novell eDirectory as tree and context.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Tenants Optionally. Note: If using Kerberos as the bind method. For more information on licensing. Password Enter the password of a valid account. Username Enter the username of a valid account in the LDAP notation format The format depends on the configuration of the LDAP directory. Simple bind – Select to bind without encryption. select one of the following options: TLS (with password) – Select to use Transport Layer Security (TLS). see Chapter 13.ou=container. Kerberos realm If using Kerberos. Kerberos – Select to use Kerberos authentication. Note: A password is not required if using simple bind as the bind method. LDAP server Enter the directory’s IP address or hostname. This is frequently used by directory servers that do not require a password for authentication. Confirm Re-enter the password to confirm it. A user part of the tree Organization and in the context Sales would have the LDAP notation: cn=user. you must enter the hostname.dc=org Consult your directory documentation for more information. the LDAP username can be written as: uid=user. 197 . Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. when not using Kerberos. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same.dc=example. enter the Kerberos realm. Managing Tenants on page 275. select which tenant(s) use this directory. contact your Smoothwall representative. For more information on tenants. Use capital letters. or from the drop-down list. Bind method Accept the default bind method. Normally it should look something like this: cn=user.

Some directories will not return more than 1000 results for a search. taking the same form as the OpenLDAP-based directories o=myorganization.dc=example. For example: ou=mygroups.dc=example.Authentication and User Management Configuring Directories Setting Description User search root Enter where in the directory.dc=mydomain. OpenLDAP based directories will often use the form o=myorganization Apple Open Directory uses the form: cn=users. it may be necessary to narrow down the group search root. Note: LDAPs (SSL) will be automatically used if you enter port number 636. If there are multiple OUs containing groups that need to be mapped. For example. it may be a good idea to narrow down the user search root so Advanced Firewall does not have to look through the entire directory. Working with Large Directories on page 303. the user search root must be set to the top level domain. Cache timeout Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Extra user search This option enables you to enter directory-specific user search paths when roots working with a large directory structure which contains multiple OUs and many users. Note: When working with multi domain environments. LDAP port Accept the default or enter the LDAP port to use.dc=org Note: With larger directories. 198 . Advanced Firewall should start looking for user groups. Usually. The principle is the same as with the user search root setting.dc=local Apple Open Directory uses the form: cn=groups.dc=local In LDAP form. Enter one search root per line. Group search roots Enter where in the directory.dc=org A Novell eDirectory will refer to this as the tree. Advanced Firewall should start looking for user accounts. this is seen in the directory as dc=mycompany. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache. a more specific group search root needs to be configured. Enter one search roots per line. if all users that need to be authenticated have been placed in an organizational unit.dc=mydomain. so if there are more than 1000 groups in the directory.dc=local. Usually this will be the same location as configured in the user search root field. Extra group search roots Optionally. For example: ou=myusers. Note: In larger directories. the user search root can be narrowed down by adding ou=userunit in front of the domain base. enter where in the directory Advanced Firewall should start looking for more user groups. see Appendix A. add the other locations in the advanced section. For more information. this is the top level of the directory.

For more information on tenants.example. click Add new directory. Comment 3 Optionally. Confirm Re-enter the secret to confirm it. RADIUS server Enter the hostname or IP address of the RADIUS server. Consult your RADIUS server documentation for more information.org kdc. enter a comment about the directory. Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. Tenants Optionally. 2 In the Add new directory dialog box. through DNS Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the directory server by querying the DNS server that holds the directory information. Managing Tenants on page 275. 199 . Configuring a RADIUS Connection You can configure Advanced Firewall to use a Remote Authentication Dial In User Service (RADIUS) as an authentication service. Configuring the Connection To configure the connection: 1 On the Services > Authentication > Directories page. For more information on licensing.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Extra realms This setting enables you to configure subdomains manually using DNS. Use the following format: <realm><space><kdc server> For example: example. Prerequisites Before you configure any settings: • Configure the RADIUS server to accept queries from Advanced Firewall. Click Add. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. Secret Enter the secret shared with the server. Only available if you have selected Kerberos as the authentication method.org Enter one realm per line. select which tenant(s) use this directory. see Chapter 13. Discover Kerberos realms select this advanced option to use DNS to discover Kerberos realms. contact your Smoothwall representative. Advanced Firewall adds the directory to its list of directories and establishes the connection. select RADIUS and configure the following settings: Setting Description Status Select Enabled to enable the connection.

For more information. preventing the account from being used by the authentication service. 200 . This DNS server is used by Advanced Firewall for name lookups. Deny access – Select this option if the RADIUS password should override the password set in another directory server. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: • Run the Advanced Firewall Setup program and check that the DNS server containing the Active Directory information is specified correctly. • Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active Directory servers. select this option to enable Advanced Firewall to use the group information in the RADIUS Filter-Id attribute. Advanced Firewall adds the directory to its list of directories and establishes the connection. Advanced Firewall will place all users in the Default Users group. 3 Port Accept the default port or specify a UDP port to use when communicating with the RADIUS server. When not enabled. Obtain groups from RADIUS If the RADIUS server can provide group information. Advanced Firewall will use group information from the next directory server in the list. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache. If there are no other directories in the list. for example when using an authentication token. Identifying IP address Enter the IP address to use to identify the caller connecting to the RADIUS server. The following sections explain the prerequisites for Microsoft Active Directory and how to use the legacy method to configure Advanced Firewall to work with Microsoft Active Directory. Click Add. Note: Do not use the administrator account as the lookup user.Authentication and User Management Configuring Directories Setting Description Action on login failure Try next directory server – Select this option if users in RADIUS are unrelated to users in any other directory server. • Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized. Advanced Firewall and DNS on page 302 and the Advanced Firewall Installation and Setup Guide. Cache timeout (minutes) Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. enter a comment about the directory. see Appendix A. if it must be different to the internal IP address of the system. we recommend that you use the latest method. The default is port 1812. Often the administrator account will not have a Windows 2000 username. see Configuring a Microsoft Active Directory Connection on page 195 for more information. For a simpler method. Configuring an Active Directory Connection – Legacy Method Note: This is the legacy method of configuring an Active Directory connection. Comment Optionally.

Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. For more information. Appendix A. Often. Cache timeout (minutes) Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall displays the settings for Active Directory. Note: For Microsoft Active Directory. Managing Tenants on page 275. until the cache timeout has been passed. For more information on licensing. see Chapter 13. see Appendix A. 3 Configure the following settings: Setting Description Status Select Enabled to enable the connection. To configure the connection: 1 Navigate to the Services > Authentication > Directories page. Confirm Re-enter the password to confirm it. from the Directory server drop-down list. For more information on tenants. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the Active Directory servers for a successful lookup to be able to take place. Setting a long cache timeout means that old passwords are valid for longer. Active Directory on page 303. Refer to the Microsoft DNS server help if you need assistance in setting up a reverse lookup zone. Username Enter the username of a valid account. The domain will be added automatically by Advanced Firewall. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. 2 In the Add directory server area. select Automatic or enter the Kerberos realm. Tenants Optionally. select which tenant(s) use this directory. Note: Setting a short cache timeout increases the load on the directory server. select Active Directory and click Next. Advanced Firewall and DNS on page 302 for more information. Advanced Firewall requires DNS servers that can resolve the Active Directory server hostnames. See also. i. Password Enter the password of a valid account. contact your Smoothwall representative. Kerberos realm Optionally. Active Directory server Enter the directory server’s full hostname. 201 .Smoothwall Advanced Firewall Administrator’s Guide Configuring an Active Directory Connection Configuring an Active Directory connection entails specifying server details and optionally the Kerberos realm to use. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache.e. In a multi domain environment. search roots and any advanced settings required. the username must be a user in the top level domain. these will be the same servers that hold the Active Directory. Enter the username without the domain.

a more specific group search root needs to be configured.Authentication and User Management Configuring Directories Setting Description User search root Optionally. for example: ou=mygroups. realms through Using DNS to discover realms configures Advanced Firewall to try to find all DNS the domains in the directory server by querying the DNS server that holds the directory information.dc=local search root.dc=mydomain. For more information. Enabled Select this option to enable the connection to the directory server. Extra group search Optionally. Extra user search roots This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Group search root Optionally. for example: ou=myusers. Select Automatic or enter the NetBIOS domain name to use when joining the workgroup. Advanced Firewall cannot join domains required for NTLM authentication where the workgroup. enter where in the directory. the user search root must be set to the top level domain. Working with Large Directories on page 303. Use This setting applies when using Microsoft Windows NT4 or older sAMAccountName installations. Discover Kerberos Select this option to use DNS to discover Kerberos realms.dc=mydomain. to configure Advanced Firewall to start looking for user accounts at the top level of the directory. is not the same as the Active Directory domain. so if there are more than 1 000 groups in the directory. select Automatic. Enter search roots one per line. enter a comment about the directory server and the settings used. Enter the sAMAccountName to override the userPrincipleName. also known as NetBIOS domain name or preWindows 2000 domain name. or enter the LDAP port to use. click Advanced to access and configure the following settings: Setting Description LDAP port Accept the default.dc=local Note: Some directories will not return more than 1 000 results for a search. 202 . Or enter the user search root to start looking in. Optionally. NetBIOS workgroup This setting applies when using NTLM authentication with Guardian. Note: When working with multi-domain environments. see Appendix A. Enter search roots one per line. Or enter the group search root to start looking in. 4 Comment Optionally. select Automatic. Advanced Firewall should start roots looking for more user groups. to configure Advanced Firewall to start looking for user groups at the top level of the directory.

as opposed to automatically. To configure a local users directory: 1 On the Services > Authentication > Directories page. Advanced Firewall adds the directory to its list of directories. 2 In the Add new directory dialog box.org kdc. 3 Click Save moves. 203 . select which tenant(s) use this directory. Advanced Firewall applies the changes. list the RADIUS server first. For information on adding and managing local users. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. Configuring a Local Users Directory Advanced Firewall stores user account information comprised of usernames. For more information on tenants. Use the following format: <realm><space><kdc server> For example: example. see Chapter 13. Reordering Directory Servers Tip: If most of your users are in one directory.example. Click Add. Comment Optionally. select Local users and configure the following settings: Setting Description Status Select Enabled to enable the connection. Tenants Optionally. Managing Tenants on page 275. contact your Smoothwall representative.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Extra realms This setting enables you to configure subdomains manually. 5 Click Add. see Managing Local Users on page 204. passwords and group membership in local user directories so as to provide a standalone authentication service for network users. using DNS. enter a comment about the directory. If user passwords are checked by a RADIUS server and group information is obtained from LDAP. For more information on licensing. 2 Repeat the step above for any other directories you want to move. click Add new directory. To reorder directory servers: 1 On the Services > Authentication > Directories page. Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. Advanced Firewall adds the directory to its list of directories and establishes the connection. 3 Name Accept the default name or enter a new name.org Enter one realm per line. select the directory server you want to move and click Up or Down until the server is where you want it. list that directory first so as to reduce the number of queries required.

Select the directories and click Diagnose. configure the following settings: 204 Setting Description Enabled Select to enable the user account. Managing Local Users Advanced Firewall stores user account information comprised of usernames. In the Add new user dialog box. point to the directory server and click Delete. 3 Click Save changes. point to the directory server and click Diagnose. point to the directory server and click Edit. The Edit directory dialog box opens. confirm that you want to delete the directory. click on the local user directory you want to add a user to. Tip: You can diagnose multiple directories at the same time.Authentication and User Management Managing Local Users Tip: You can also drag and drop directories to where you want them. Diagnosing Directories It is possible to review a directory’s status and run diagnostic tests on it. Advanced Firewall displays any current local users 2 Click Add new user. Just remember to click Save moves. Deleting a Directory Server To delete a directory server: 1 On the Services > Authentication > Directories page. see Configuring Directories on page 195 for information on the settings available. Passwords must be a minimum of six characters long. When prompted. To diagnose a directory: 1 On the Services > Authentication > Directories page. Advanced Firewall deletes the server. passwords and group membership in local user directories so as to provide a standalone authentication service for network users. user account and status information. Advanced Firewall applies the changes. Username Enter the user account name. 2 Make the changes required. Adding Users To add a user to a local user directory: 1 On the Services > Authentication > Directories page. Password Enter the password associated with the user account. Advanced Firewall displays current directory connection. Editing a Directory Server To edit a directory server: 1 On the Services > Authentication > Directories page. .

205 . Select group From the drop-down menu. Advanced Firewall deletes the account. In the Edit user dialog box. To map directory groups to Advanced Firewall groups: 1 On the Services > Authentication > Directories page. In the Add new group mapping dialog box. click on the local user directory containing the user account(s) you want to delete. select the Advanced Firewall group you want to map the directory service group(s) to. Advanced Firewall creates the mapping. select the directory group(s) you want to map. confirm that you want to delete the account. group Tip: You can filter the groups shown by entering parts of group names in this field. Advanced Firewall applies the changes. 2 Click Add new group mapping. click on the directory that contains the group you want to map. See Adding Users on page 204 for more information on the settings available. Advanced Firewall displays current local users. Advanced Firewall displays any current group mappings. Deleting Users To delete users: 1 On the Services > Authentication > Directories page. you can map the groups Advanced Firewall retrieves from the directory in order to apply permissions and restrictions to the users in the groups. Mapping Groups Once you have successfully configured a connection to a directory. 2 Point to the user account and click Delete. When prompted. select a group to assign the user account to. configure the following settings: Setting Description Directory service From the drop-down list. Advanced Firewall saves the information. 3 Local group From the drop-down list. 3 Click Save changes. 2 Point to the user account and click Edit. Advanced Firewall displays current local users. make the changes required. 3 Click Add. Click Add. Editing Local Users To edit an existing user's details: 1 On the Services > Authentication > Directories page. 3 Repeat the steps above to delete other accounts.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Repeat password Re-enter the password to confirm it. click on the local user directory containing the user account you want to edit. 4 Repeat the steps above to add more users. Enabled Select to enable the mapping.

Deleting Group Mappings It is possible to delete group mappings. Administrative User Settings on page 274. When temporarily banned. Advanced Firewall displays the current group mappings. For more information. click on the directory that contains the mapping(s) you want to delete. click on the directory that contains the group you want to remap. Creating a Temporary Ban Note: Only administrators and accounts with Temp ban access can manage banned accounts. confirm the deletion by clicking Delete Advanced Firewall deletes the mapping(s). To remap groups: 1 On the Services > Authentication > Directories page. To delete one or more group mappings: 1 On the Services > Authentication > Directories page. Note: You can apply any web filtering policy to the Banned users group. See Mapping Groups on page 205 for more information on the settings available. To ban an account temporarily: 1 206 Navigate to the Services > Authentication > Temporary bans page. the user is added to the Banned users group. see Chapter 13. remap the group(s) as required. 2 Select the mapping(s) and click Delete. 2 Point to the group and click Edit. Advanced Firewall displays the current group mappings. 3 Click Save changes.Authentication and User Management Managing Temporarily Banned Users Remapping Groups It is possible to change group mappings. In the Edit group mapping dialog box. When prompted. . Managing Temporarily Banned Users Advanced Firewall enables you to temporarily ban specific user accounts. Advanced Firewall remaps the group(s).

configure the following settings: Setting Description Status Select Enabled to enable the ban immediately. Advanced Firewall removes the ban. Removing Temporary Bans To remove a ban: 1 Navigate to the Services > Authentication > Temporary bans page. In the Add new temporary ban dialog box.Smoothwall Advanced Firewall Administrator’s Guide 2 Click Add new temporary ban. Managing Block Pages on page 101 for more information. Ban expires Click and select when the ban expires. see Managing User Activity on page 208. Advanced Firewall enforces the ban immediately. 207 . Tip: You can edit the block page displayed to banned users so that it gives them information on the ban in force. enter a comment explaining why the account has been banned. Advanced Firewall removes all bans which have expired. 2 In the Current rules area. Comment Optionally. for more information. 3 Click Add. select the ban and click Remove. Tip: There is also a ban option on the Services > Authentication > User activity page. click Remove all expired. Username Enter the user name of the account you want to ban. See Chapter 7. 2 In the Current rules area. Removing Expired Bans To remove bans which have expired: 1 Navigate to the Services > Authentication > Temporary bans page.

see Creating a Temporary Ban on page 206. Recently logged out users are listed for 15 minutes. If the user is using SSL login. Advanced Firewall logs the user out immediately and lists them as logged out. Advanced Firewall copies the user’s information and displays it on the Services > Authentication > Temporary bans page where you can configure the ban. Viewing User Activity To view activity: 1 Navigate to the Services > Authentication > User activity page. the group(s) the user belongs to their source IP and the method of user authentication. Connectionbased authentication will automatically log the user back in. who recently logged out. Note: Logging a user out is not the same as blocking a user from accessing web content. You can also log users out and/or ban them. Logging Users Out To log a user out: 1 On the Services > Authentication > User activity page. they will be prompted to authenticate again. Advanced Firewall displays who is logged in. Banning Users To ban a user: 1 208 On the Services > Authentication > User activity page. point to the user you want to log out and click Log user out. For more information. point to the user you want to ban and click Ban user. .Authentication and User Management Managing User Activity Managing User Activity Advanced Firewall enables you to see who is logged in and who has recently logged out.

it is possible to customize the title image. background image and message displayed on an SSL login page. for example. network users requesting port 80 for outbound web access will be automatically redirected to a secure login page. The SSL Login page can be manually accessed by users wishing to pro-actively authenticate themselves. per-user basis. To upload a custom title image: 1 Browse to the Services > Authentication > SSL login page. Customizing the SSL Login Page When using SSL as an authentication method. Using your browser’s controls. 209 . Customizing the Title Image It is possible to customize the title image displayed on the SSL login page. and prompted for their user credentials. Advanced Firewall uploads the file and makes it available on the SSL login page. 3 Click Save changes. or where only a small subset of users require authentication. When SSL Login is configured. typically where they need to use a non-web authentication-enabled service. the SSL Login page. thus allowing SSL Login redirection to be bypassed for authenticated users. 2 Click the Title image Browse/Select file button. locate and select the file. group bridging. SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated user.Smoothwall Advanced Firewall Administrator’s Guide About SSL Authentication Advanced Firewall provides SSL Login as a built-in authentication mechanism which can be used by authentication-enabled services to apply permissions and restrictions on a customized. When an authenticated user logs out or exceeds the time-out limit. the rule is removed and future outbound requests on port 80 will again cause automatic redirection to the SSL Login.

Customizing the Message It is possible to provide users with a customized message. 2 To remove the title image. For example: http://192. To upload a background image: 1 On the Services > Authentication > SSL login page.141:442/login. click Delete.168. enter your Advanced Firewall system’s IP address and /login. adjacent to Background image. To customize the login message: 1 Navigate to the Services > Authentication > SSL login page.72. https:// 192. 2 In the Customize SSL Login area. adjacent to Title image. 2 Click Save changes.168. enter your custom message in the SSL login page text box.Authentication and User Management About SSL Authentication Customizing the Background Image It is possible to customize the background image used on an SSL login page. 3 Click Save changes to apply the new message.72. locate and select the file. To review the SSL Login page: 1 210 In the web browser of your choice. 3 To remove the background image. Advanced Firewall displays the SSL login page. Using your browser’s controls. Advanced Firewall uploads the file and makes it available on the SSL login page. click Delete.141/login or. Reviewing SSL Login Pages You can review SSL Login pages. . Removing Custom Files To remove a custom file: 1 Browse to the Services > Authentication > SSL login page. click the Background image Browse/Select file button. using HTTPS.

Advanced Firewall enables SSL Login on the selected interfaces. enter an IP address. Tip: This option is useful when avoiding requiring servers to authenticate. 2 Locate the SSL login redirection area. see the Guardian3 Administrator’s Guide. 211 . 3 Click Save changes.Smoothwall Advanced Firewall Administrator’s Guide Configuring SSL Login Note: If you add Guardian3 to an Advanced Firewall installation which does not have SSL login configured. To create an SSL login exception: 1 Browse to the Services > Authentication > SSL login page. select each interface on which you want to activate SSL Login. For more information on web proxy authentication policies. If you add Guardian3 to an Advanced Firewall installation which already has SSL login configured. 4 Click Save changes. 2 In the SSL login redirection area. ensure that SSL Login redirection is not enabled both on interface(s) on this page and in a web proxy authentication policy. In the Redirect exception addresses field. the SSL login redirection section will not be available. Creating SSL Login Exceptions SSL Login exceptions can be created in order to prevent certain hosts. ranges of hosts or subnets from being automatically redirected to the SSL Login page. IP range or subnet that should not be redirected to the SSL Login. To configure SSL Login: 1 Navigate to the Services > Authentication > SSL login page. 3 Repeat the step above on a new line for each further exception you want to make. SSL Login authentication is configured on a per-interface basis.

available at the time of writing. 3 Click Add. Comment Optionally. see Chapter 6. Adding Keytabs The following section explains how to add Kerberos keytabs into Advanced Firewall. 2 Click Add new keytab and configure the following settings: Setting Description Status Accept the default setting to enable the keytab. it is necessary to import keytabs manually. Also. can use the interoperability features provided by Kerberos. For information on using Kerberos as the authentication method in authentication policies.microsoft. Advanced Firewall adds the keytab and lists it in the Kerberos keytabs area. A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. locate and select the keytab.aspx which discusses how to get a keytab from Active Directory. By importing and using Kerberos keytabs. Name Enter a descriptive name for the keytab.10%29. enter a comment to describe the keytab. such as authentication. Kerberos keys are managed automatically. File Using your browser. For other directory servers. Advanced Firewall services. consult the documentation delivered with your directory server. For information on generating keytabs. To add a keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page.com/en-us/library/ cc753771%28v=WS. see the following section for information on how to do this.Authentication and User Management Managing Kerberos Keytabs Managing Kerberos Keytabs Note: When using Microsoft Active Directory for authentication. Creating Authentication Policies on page 67. 4 Repeat the steps above for any other keytabs you need to import. see http://technet. 212 .

Advanced Firewall displays the content. point to the keytab and select Edit. 3 In the Edit keytab dialog box. It is possible to disable a Kerberos keytab when required. view. 3 In the Edit keytab dialog box. Advanced Firewall changes the name and lists the Kerberos keytab in the Installed Kerberos keytabs area Deleting Keytabs It is possible to delete Kerberos keytabs that are no longer require. point to the keytab and select Delete. change the name as required and click Save changes. Editing Keytabs It is possible to change the name of the Kerberos keytab file. you can configure your wireless network infrastructure to authenticate users using the RADIUS server so that users can use their Active Directory accounts as wireless client login details. edit and delete Kerberos keytabs. 2 In the Installed Kerberos keytabs area. Viewing Keytab Content It is possible to view the contents of a Kerberos keytab. Disabling Keytabs Kerberos keytabs are enabled by default. To delete a Kerberos keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page. 2 In the Installed Kerberos keytabs area. Using WPA Enterprise Advanced Firewall’s use of WPA Enterprise enables users to connect their own wireless devices to the network (known as ‘bring your own device’ or BYOD) and run applications with authentication that is unobtrusive. Configuring WPA Enterprise comprises: 213 . when troubleshooting. 2 In the Installed Kerberos keytabs area. Advanced Firewall links your organization's Active Directory domain to a RADIUS server. for example. point to the keytab and select Edit. To view a Kerberos keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page. Click Save changes to save the setting. 3 In the Edit keytab dialog box. Advanced Firewall disables the keytab. point to the keytab and select Edit. click Delete. 3 When prompted to confirm the deletion. 2 In the Installed Kerberos keytabs area. clear the Enabled option. As a network administrator. To change the name of the Kerberos keytab file: 1 Browse to the Services > Authentication > Kerberos keytabs page. To disable a keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page.Smoothwall Advanced Firewall Administrator’s Guide Managing Keytabs The following sections explain how to enable. Advanced Firewall deletes the keytab. click the keytab’s display arrow.

Guardian must be configured to use core authentication. DHCP must be enabled and there must be a valid DHCP subnet configured. manually making the Advanced Firewall CA certificate available to devices which cannot accept it when users authenticate to the wireless network. For more information. DHCP on page 119 • Wireless access points must be on the same subnet as Advanced Firewall. For more information. see Configuring WPA Enterprise on page 215 • In some cases. but there must be no routers between them. To configure a wireless access point: 1 Log on to the wireless access point. 3 Make a note of the shared secret for the wireless network.1X. Advanced Firewall must be the DHCP server for that subnet • Users’ wireless devices must support WPA Enterprise with PEAP and MSCHAPv2 • For users to whom a web filtering policy applies. nor is the legacy Active Directory authentication method. WPA version 1 is also supported. Some wireless access points require two separate settings for this. For more information on DHCP. For more information. For more information. see Pre-requisites on page 214 • Setting up wireless access points to use Advanced Firewall as a RADIUS server. For more information. see Configuring Access Points on page 214 • Configuring Advanced Firewall to use WPA Enterprise. Some wireless access points support WPA/WPA2 simultaneously. 214 .Authentication and User Management Using WPA Enterprise • Checking that your network is configured as required. see Chapter 8. To support older hardware. 2 Create or modify a wireless network to use WPA2 with 802. see Chapter 6. Configuring Access Points Note: Consult the documentation delivered with your wireless access point for complete information on how to configure it in detail. Creating Authentication Policies on page 67 • Advanced Firewall’s Active Directory authentication method must be used to authenticate users. Note: On the access point. WPA2 is most secure. WPA2RADIUS or WPA2 with a separate option for RADIUS. For more information. see Configuring a Microsoft Active Directory Connection on page x Note: Local users are not supported. the wireless network type may be referred to as: WPA2-Enterprise. Switches are allowed. see Provisioning the Advanced Firewall Certificate on page 215 Pre-requisites • On Advanced Firewall. You will need this when configuring WPA Enterprise on Advanced Firewall. 4 Set Advanced Firewall as the RADIUS server for both authentication and accounting.

2 Save the certificate in a secure location and consult the documentation provided with the device(s) as to how best install it on the device(s). Users who now try to access the wireless network. will be prompted to authenticate. you can download the Advanced Firewall certificate to make it available in a way supported by the devices. for devices which do not automatically accept the Advanced Firewall certificate. Advanced Firewall applies the settings and lists the access point. Name Enter a name for the access point. Click Add. configure the following setting: 3 Setting Description Status Select Enabled to enable the access point. Comment Optionally. enter a comment to describe the access point. IP address Enter the IP address of the access point. Provisioning the Advanced Firewall Certificate Some devices may not automatically accept the Advanced Firewall certificate when users try to authenticate themselves to the wireless network. To provision the certificate: 1 On the Services > Authentication > WPA Enterprise page. click Download CA certificate. For those devices. 2 Click Add new access point.Smoothwall Advanced Firewall Administrator’s Guide Configuring WPA Enterprise To configure WPA Enterprise: 1 Browse to the Services > Authentication > WPA Enterprise page.n the Add new access point dialog box. 215 . Shared secret Enter the secret that secures RADIUS communication between the access point and Advanced Firewall. Note: See Provisioning the Advanced Firewall Certificate on page 215. Confirm Re-enter the shared secret to confirm it.

Authentication and User Management
Managing Groups of Users

Managing Groups of Users
The following sections discuss groups of users and how to manage them.

About Groups
Advanced Firewall uses the concept of groups to provide a means of organizing and managing
similar user accounts. Authentication-enabled services can associate permissions and restrictions to
each group of user accounts, thus enabling them to dynamically apply rules on a per-user account
basis.
Local users can be added or imported to a particular group, with each group being organized to
mirror an organization’s structure. Groups can be renamed by administrators to describe the users
that they contain.
Currently, Advanced Firewall supports 1000 groups and by default, contains the following groups:
Group

Description

Unauthenticated IPs

The main purpose of this group is to allow certain authenticationenabled services to define permissions and restrictions for
unauthenticated users, i.e. users that are not logged in, currently
unauthenticated or cannot be authenticated.
Note: This group cannot be renamed or deleted.

Default Users

Users can be mapped to Default Users. The main purpose of this group
is to allow certain authentication-enabled services to define permissions
and restrictions for users that are not specifically mapped to an
Advanced Firewall group, i.e. users that can be authenticated, but who
are not mapped to a specific Advanced Firewall authentication group.
Note: This group cannot be renamed or deleted.

Banned Users

This purpose of this group is to contain users who are banned from
using an authentication-enabled service.
Note: This group cannot be renamed or deleted.

Network
Administrators

This group is a normal user group, configured with a preset name, and
setup for the purpose of granting network administrators access to an
authentication-enabled service.
Because the Network Administrators group is a normal group with a
preset configuration, it can be both renamed and used by
authentication-enabled services to enforce any kind of permissions or
restrictions.

Adding Groups
It is possible to add groups to Advanced Firewall. Currently, Advanced Firewall supports 1000
groups.
To add a group:
1

On the Services > Authentication > Groups page, click Add new group.

2

In the Add new group dialog box, enter the following information:

216

Field

Description

Name

Enter a name for the group.

Comment

Optionally, enter a comment.

Smoothwall Advanced Firewall
Administrator’s Guide
3

Click Add. Advanced Firewall creates the group and lists on the changes.

Editing Groups
Note: It is not possible to rename the Unauthenticated IPs, Default Users or Banned Users groups
To edit a group:
1

On the Services > Authentication > Groups page, point to the group and click Edit.

2

In the Edit group dialog box, enter the following information:

3

Field

Description

Name

When renaming a group, enter a new name.

Comment

Edit or enter a new comment.

Click Save changes. Advanced Firewall applies the changes.

Deleting Groups
Note: It is not possible to delete the Unauthenticated IPs, Default Users or Banned Users groups
To delete a group or groups:
1

On the Services > Authentication > Groups page, select the group(s) and click Delete.

2

When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the group(s).

217

Authentication and User Management
Managing Groups of Users

218

Chapter 11

Reporting
In this chapter:

About the Summary page

Working with Advanced Firewall reports

Managing datastore/log retention settings.

About the Summary Page
The summary page displays a customizable list of reports.
To access the summary page:
1

Navigate to the Logs and reports > Reports > Summary page.

Note: The information displayed depends on the product series you are using.
A list of the reports generated by default is displayed. For information on customizing the reports
displayed, see Chapter 13, Configuring the User Interface on page 268.

Accessing Reporting
Advanced Firewall can produce many types of reports which provide information on almost every
aspect of Advanced Firewall.
To access reporting:
1

Navigate to the Logs and reports > Reports > Reports page.

219

Reporting
Generating Reports

Generating Reports
Advanced Firewall contains a broad range of reports which can be generated immediately.
To generate a report:
1

Navigate to the Logs and reports > Reports > Reports page and click on a folder containing the
report you want to generate.

2

Click on the report to access its options. Advanced Firewall displays the options available.

Tip:

Click Advanced to see a description of the report, access advanced options and portal publication
permissions. For more information on publishing reports, see Chapter 8, Making Reports Available
on page 83.

3

If applicable, set the time interval for the report and enter/select any option(s) you require.

4

Click Run report to generate the report. Advanced Firewall displays the report.

Canceling a Report
It is possible to a cancel a report if it is taking a long time to generate.
To cancel a report:
1

Generate the report, see Generating Reports on page 220.

2

When the report progress bar is displayed, click Cancel. Advanced Firewall cancels the report.

Saving Reports
If you want permanent access to a report, you must save it.
To save a report:
1

Generate the report, see Generating Reports on page 220.

2

In the Save as field, enter a name for the report and click Save. You can access the report on the
Logs and reports > Reports > Recent and saved page.

About Recent and Saved Reports
You can access all reports generated in the last three days on the Logs and reports > Reports >
Recent and saved page.
You can also save recently generated reports and change report formats on this page.

Changing Report Formats
Advanced Firewall enables you to change reports viewed and/or saved in one format to another.

220

Smoothwall Advanced Firewall
Administrator’s Guide
To change a report format:
1

Navigate to the Logs and reports > Reports > Recent and saved page.

2

Locate the report you want to change and click on the format you want to change the report to. The
following formats are available:
Format

Description

csv

The report will be generated in comma separated text format.

excel

The report will be generated in Microsoft Excel format.

pdf

The report will be generated in Adobe’s portable document format.

pdfbw

The report will be generated in black and white in Adobe’s portable document format.

tsv

The report will be generated in tab separated text (tsv) format.

Managing Reports and Folders
The following sections explain how to create, delete and navigate reports and folders in Advanced
Firewall.

Creating Folders
You can create a folder to contain reports on the Logs and reports > Reports > Reports page or in
a folder or sub-folder contained on the page.
To create a folder:
1

On the Logs and reports > Reports > Reports page, determine where you want to create the
folder, on the page or in an existing folder.

2

Click the Create a new folder button. Advanced Firewall creates the folder.

3

Enter a name for the folder and click Rename.

Deleting Folders
To delete a folder:
1

On the Logs and reports > Reports > Reports page, locate the folder.

2

Click the Delete button. Advanced Firewall deletes the folder.

Note: You cannot delete a folder which contains reports. Delete the report(s) in the folder first, then delete
the folder.

221

Reporting
Generating Reports

Deleting Reports
To delete a report:
1

Navigate to the Logs and reports > Reports > Recent and saved page.

2

Locate the report and click the Delete button.

Report Permissions
Advanced Firewall enables you to publish reports on a portal. For more information, see Chapter 8,
Making Reports Available on page 83.

Making Reports Available on Portals
You can make reports generated on one portal available on other portals.
To make the report available:
1

Navigate to the Logs and reports > Reports > Reports page and locate the report you want to
publish to portals.

2

On the Permissions tab, click Automatic Access.

3

In the Automatic Access area, from the Add access drop-down list. select the portal you want to
publish the generated report on and click Add.

4

Click Close to close the dialog box. Advanced Firewall publishes the report to the portal.

222

Monday to Friday. Comment Optionally.Smoothwall Advanced Firewall Administrator’s Guide Scheduling Reports Advanced Firewall can generate and deliver reports to specified user groups at specified intervals. To schedule a report: 1 Navigate to the Logs and reports > Reports > Scheduled page. Repeat Scheduled reports can be generated and delivered more than once. Weekday Repeat – The report will be generated and delivered at the specified time. starting on the specified date. enter a description of the scheduled report. starting on the specified date. once a week. Daily Repeat – The report will be generated and delivered once a day at the specified time starting on the specified date. starting on the specified date. Time Select the hour and minute at which to deliver the report. once a month. Enabled Select to enable the scheduled report. Weekly Repeat – The report will be generated and delivered at the specified time. Select from the following options: No Repeat – The report will be generated and delivered once on the specified date at the specified time. If the report is to be repeated. 2 Configure the following settings: Setting Description Start date Select the month and day on which to create and deliver the report. 223 . enter the date on which the first report should be created and delivered. Monthly Repeat – The report will be generated and delivered at the specified time.

Group From the drop-down list. select the group you want to deliver the report to. Report name Enter a name for the scheduled report. The report will be available on the Logs and reports > Reports > Recent and saved page. select how long to collate data for this report. Save report Select this option if you want to save the scheduled report after it has been generated. Managing Log Retention You can configure Advanced Firewall to retain logs for use in reporting and network troubleshooting. Publish from portal Optionally. . 3 Email report Select this option if you want to email the report to a group of users. from the drop-down menu. select the report. Configuring Groups on page 254. see Chapter 12. Report shows period From the drop-down list.Reporting Managing Log Retention Setting Description Report From the drop-down list. For more information. Advanced Firewall schedules the report and lists it in the Scheduled reports area. Click Add. To manage log retention: 1 224 Navigate to the Logs and reports > Settings > Datastore settings page. select a portal to publish the report from.

225 . because of a lack of storage space. Maximum – The maximum number of months possible is infinite. Minimum – The minimum number of months possible is 0. it may be deleted if the available storage space starts to run out. Advanced Firewall will stop working and display a warning. If a log file is older than the maximum retention period specified. Advanced Firewall will stop working and display a warning. For example.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Retention settings Use the slider’s start and end points to specify the minimum and maximum number of months Advanced Firewall should retain log files. Note: If. will keep them for 6 months. the minimum log retention is not possible. it will be deleted. 3 Click Save changes to save the datastore settings. if the minimum retention period is set to 3 months and the maximum retention period is set to 6 months. because of a lack of disk space. if there is available storage space. If a log file is older than the minimum retention period specified. the minimum log retention is not possible. Advanced Firewall will always keep log files for 3 months and. Note: If.

Reporting Managing Log Retention 226 .

for example. Alerts Advanced Firewall contains a comprehensive set of incident alerting controls. Alerts and Logging In this chapter: • About the dashboard. To access the dashboard: 1 Browse to Dashboard. The dashboard displays service information. a sustained high level of traffic over a five minute period. registration and initial setup pages • Viewing. and.Chapter 12 Information. an administrator login failure. the second denotes the occurrence of an incident. realtime information and log files. for example. registration. in more critical circumstances. Some situations are constantly monitored. for example. To access the About page: 1 Browse to the bottom of the page you are on and click About. About the Dashboard The dashboard is the default home page of your Advanced Firewall system. It is possible to specify two trigger conditions for some alerts – the first acts as a warning alert. external connectivity controls and a number of summary reports. particularly those relating to critical failures. 227 . UPS and power supply alerts. or a series of events occurring over a particular time period. Some alerts allow their trigger conditions to be edited to customize the alert sensitivity. About the About Page The About page displays product. It also displays acknowledgements. copyright and trademark information. analyzing and configuring alerts. Overview Alerts are generated when certain trigger conditions are met. Trigger conditions can be individual events.

Monitored once every five minutes. or disconnected. or when failover machines are forced on and offline. i. Monitored once an hour. Monitored once every five minutes. System Service Monitoring This alert is triggered whenever a critical system service changes statues. Constant monitoring. External Connection Failover Monitors the external connection(s) and alerts in the case of failover. Email Virus Monitor These alerts are triggered by detection of malware being relayed via SMTP or downloaded via POP3. Constant monitoring. Alerts and Logging Alerts Available Alerts You access the alerts and their settings on the Logs and reports > Alerts > Alerts page. . License expiry status warnings Generates messages when the license is due for renewal or has expired. SmoothTunnel VPN Certificate Monitor Validates Advanced Firewall VPN certificates and issues warnings about potential problems. Constant Monitoring. IM proxy monitored word Monitors instant messaging chats activity and generates warnings alert based on excessive use of inappropriate language. Monitored once every five minutes. Traffic Statistics Monitor These alerts are triggered whenever the traffic flow for the external interface exceeds certain thresholds. System Resource Monitor These alerts are triggered whenever the system resources exceed predefined limitations. Monitoring is constant. Monitored once every five minutes. Output System Test Messages Catches test alerts generated for the purposes of testing the Advanced Firewall Output systems. harddisk failure Generates messages when hardware problems are detected. or impending expiration dates. Monitored once an hour. Hardware failure alerts. UPS. SmoothRule Violations Monitors outbound access activity and generates warnings about suspicious behavior. Reverse proxy violations Monitors reverse proxy activity and generates warnings about connectivity issues. Constant Monitoring. or disconnected. Inappropriate word in IM Generates an alert whenever a user uses an inappropriate word or Monitor phrase in IM chat conversation Administration Login Failures 228 Monitors both the Secure Shell (SSH) and Web Interface services for failed login attempts. Hardware Failover Notification Generates messages when a hardware failover occurs.Information. Constant Monitoring. L2TP VPN Tunnel Status L2TP Tunnel status notifications occur when an L2TP (Layer 2 Tunnelling Protocol) Tunnel is either connected. Monitored once every five minutes. starts or stops. Monitoring is constant.e. Power Supply status warnings Generates messages when server power switches to and from mains supply. Constant Monitoring Health Monitor Checks on remote services for activity. Firewall Notifications Monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. Alert Description VPN Tunnel Status VPN Tunnel status notifications occur when an IPSEC Tunnel is either connected.

and then distributes a merged notification of all alerts. select a group of recipients and click Select. 3 For each alert you want to send.e. For information on creating a group. is turned on or restarted. 2 Configure the following settings: Setting Description Group name From the drop-down list. To enable alerts: 1 Browse to the Logs and reports > Alerts > Alerts page.Smoothwall Advanced Firewall Administrator’s Guide Alert Description Intrusion System Monitor These alerts are triggered by violations and notices generated by the intrusion system by suspicious network activity. Update Monitoring Monitors the system for new updates once an hour. 4 Click Save. select the delivery method: SMS or Email. Enable instantaneous alerts By default. Constant Monitoring. Select this option to send the alert(s) individually as soon as they are triggered. Mail Queue Monitor Watches the email queue and informs if the number of messages therein exceeds a certain threshold. i. Monitored once an hour System Boot (Restart) Notification This alert is generated whenever the system is booted. Enabling Alerts Advanced Firewall contains a comprehensive set of incident alerting controls. Advanced Firewall queues alerts in two minute intervals. 229 . Monitored once every five minutes. see Configuring Groups on page 254.

To access the alert settings: 1 Browse to the Logs and reports > Alerts > Alert settings page. To adjust the settings: 1 Enter or choose appropriate settings for each of the following controls: Setting Description System load average Used to set a threshold for the average number of processes waiting to use the processor(s) over a five minute period.0. Configuring the System Resource Alert This alert is triggered whenever particular system resources exceed some predefined limitations. Alerts and Logging Alerts Looking up an Alert by Its Reference To view the content of an alert that has already been sent: 1 Enter the alert’s unique ID into the Alert ID field and click Show. A system operating at normal performance should record a load average of between 0.0) may merit attention. that generates an alert once exceeded. prolonged periods of high load (for example. 230 .0 and 1.Information. Disk usage Used to set a disk space usage percentage threshold. While higher values are not uncommon. The content of the alert will be displayed on a new page. Configuring Alert Settings The following sections explain how to configure Advanced Firewall alert settings. Low amounts of free disk space can adversely affect system performance. averages greater than 3.

Note: The adjacent Warning threshold and Incident threshold fields can be used to set the respective levels at which alerts are generated for each type of activity.e. that generates an alert once exceeded. Ports 2 Click Save. Monitor Detects suspicious inbound communication to local ports. Alerts will be Destination (local) generated if a rapid series of inbound requests to the same local port is detected. The health monitor provides the following checks and alerts: 231 . Monitor Detects suspicious inbound communication to local IP addresses. prolonged periods of high memory usage may indicate that the system could benefit from additional memory. Alerts will Destination (local) be generated if a rapid series of inbound requests to the same local IP IP Addresses address is detected. so higher than expected memory usage may not be a concern. Note: To exempt particular ports from monitoring. 2 Click Save. Advanced Firewall uses system memory aggressively to improve system performance. Monitor Source (remote) Ports Detects suspicious inbound communication from remote ports. Configuring the Health Monitor This alert is triggered whenever a remote service fails to report activity. Click Save. Health monitor alerts are intended to enable you to keep an eye on various aspects of your network which are usually outside of the remit of Advanced Firewall. Configuring the Firewall Notifications Alert This alert monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. starts or stops. Alerts will be generated if a rapid series of inbound requests from the same remote port is detected. To adjust the settings: 1 Enter or choose appropriate settings for each of the following controls: Setting Description Monitor Source (remote) IP addresses Detects suspicious inbound communication from remote IP addresses.Smoothwall Advanced Firewall Administrator’s Guide 2 Setting Description System memory usage Used to set a system memory usage percentage threshold. To adjust the settings for this alert: 1 Select the components. i. Alerts will be generated if a rapid series of inbound requests from the same remote IP address is detected. modules and services that should generate alerts when they start or stop. enter a comma separated list of ports into the appropriate Ignore fields. However. Configuring the System Service Alert This alert is triggered whenever a critical system service changes states.

Setting Description IP Address Enter the IP address. Alerts and Logging Alerts Web Servers (HTTP) When enabled. To configure the alert: 1 Configure the following settings: Setting Description Enabled on received text Select to generate the alert when an inappropriate word is used in a message received from a remote user. Setting Description Request URL Enter the URL of the web page you want retrieved and checked for keywords.htm Note: Omit http:// when entering the URL. Setting Description Name Enter the domain name.Information.com/index. tries to retrieve the specified web page and check that it contains specific keywords. To configure the alert: 1 For the services. for example: example. . This is for detecting defacement. No of tries Enter the number of times Advanced Firewall should check the address and not receive a response before generating an alert. Select Other to check that there is any response to connections on the associated port. enter the URL. Address Enter the domain address. Port Enter the port number. an alert is generated. Enabled on sent text 232 Select to generate the alert when an inappropriate word is used in a message sent by a local user. 3 Select the protocol. select the protocol of the service you want to check for a response. 2 Enter keywords. Other Services Checks that the specified port is open and offering a service. IP address or name. Assuming the page has been retrieved and the keywords are missing. No of tries Enter the number of times Advanced Firewall should try to retrieve the page. Configuring the Inappropriate Word in IM Monitor Alert These alerts are generated whenever a user uses an inappropriate word or phrase in instant messaging chat conversations. 4 Click Add for each service. port numbers and number of tries. if applicable. Keywords Enter the keywords to be checked in the page. Protocol From the drop-down list. DNS Name Resolution Checks that a domain has not expired or been hijacked.

Generate alert when users exceed the rate of inappropriate messages Select to generate an alert when users exceed the specified number of inappropriate messages within a 15 minute period. 233 . Realtime System Information The System page is a realtime version of the system log viewer with some filtering options. Monitor SMTP relay for viruses Select to alert when malware is detected when relaying via SMTP.Smoothwall Advanced Firewall Administrator’s Guide 2 Setting Description Generate alert for each message which exceeds the Message Censor severity threshold Select to generate an alert when the Message Censor threshold is exceeded. To configure and enable the alert: 1 2 Configure the following settings: Setting Description Threshold number of messages Enter the number of messages above which the alert is triggered. From the drop-down list. see Chapter 8. For information on the Message censor threshold. Censoring Message Content on page 109. To configure the alert(s): 1 2 Enable the following setting(s): Setting Description Monitor POP3 proxy for viruses Select to alert when malware is detected when downloading via POP3. these alerts are triggered when malware being relayed via SMTP or downloaded via POP3 are detected. select the threshold above which an alert will be generated. Click Save to save the settings. Realtime The realtime pages provide access to realtime information about your system. Number of inappropriate messages in 15 mins Specify how many inappropriate messages to allow in a 15 minute period before generating an alert. Click Save to enable the alerts. Click Save to save the settings and enable the alert. Configuring the Email Virus Monitor Alert When configured. Configuring the Mail Queue Monitor Alert This alert is triggered the number of messages in the email queue exceeds a the specified threshold.

By default. All entries in the firewall log are from packets that have been blocked by Advanced Firewall. 234 . To display information on specific components: 1 From the Section drop-down list.Information. Alerts and Logging Realtime To access the System page: 1 Browse to Logs and reports > Realtime > System page. If there is information on the component available in the system log. it is displayed in the Details area. select the component and click Update. all information in the system log is displayed and updated automatically approximately every second. Realtime Firewall Information The Firewall page is a realtime version of the firewall log viewer with some filtering options.

Smoothwall Advanced Firewall Administrator’s Guide To access the page: 1 Browse to Logs and reports > Realtime > Firewall page. By default. information is displayed and updated automatically approximately every second. To display information on specific sources and destinations: 1 Enter a complete or partial IP address and/or port number in the fields and click Update. Realtime IPsec Information The IPSec page is a realtime version of the IPSec log viewer with some filtering options. 235 .

see Chapter 8. Realtime Portal Information The Portal page displays realtime information on users accessing Advanced Firewall portals. By default. it is displayed in the Details area. To access the portal page: 1 Browse to Logs and reports > Realtime > Portal page. 236 . Alerts and Logging Realtime To access the IPSec page: 1 Browse to Logs and reports > Realtime > IPSec page. Click Update. select the tunnel. Working with Portals on page 81. If there is information available in the system log. To display information on a specific tunnel: 1 2 Configure the following settings: Setting Description Connection From the drop-down list. For more information on portals. Show only lines connecting Enter the text you are looking for. all information in the log is displayed and updated automatically approximately every second.Information.

enter the text. If nothing has been said for more than a minute. it is automatically displayed in the Details area. If the text is found. If there is information available in the web filter log.Smoothwall Advanced Firewall Administrator’s Guide Realtime Instant Messaging The IM proxy page is a realtime version of the IM proxy log viewer with some filtering options. The page displays a view of ongoing conversations for each of the monitored protocols and displays a selected conversation as it progresses. 3 To show lines containing specific text. The local username is denoted in blue. You can use the following settings to manage how the conversation is displayed. Realtime Traffic Graphs The Traffic graphs page displays a realtime graph of the bandwidth in bits per second being used by the currently selected interface. in the Show only lines containing field. 237 . the remote username is denoted in green. it is automatically displayed in the Details area. the remote username will be displayed in the normal style font. Active conversations which have had content added to them within the last minute are displayed in bold text in the left pane. Note: As most IM clients communicate with a central server. enter the username or IP address. 2 In the Username or IP address field. To view IM conversations: 1 Browse to Logs and reports > Realtime > IM proxy page. local conversations are likely to be displayed twice as users are recognized as both local and remote.

238 . Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming bandwidth. email and proxy information. firewall.Information. Logs The log pages display system. intrusion system. IPsec. Alerts and Logging Logs To access the traffic graphs page: 1 Browse to Logs and reports > Realtime > Traffic graphs page. Clicking on an interface displays its current traffic. The Interfaces area displays a list of the active interfaces on Advanced Firewall. Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing bandwidth.

239 . To access system logs: 1 Browse to the Logs and reports > Logs > System page.Smoothwall Advanced Firewall Administrator’s Guide System Logs The system logs contain simple logging and management information.

System – Simple system log messages. including startup. Message censor – Displays information from the message censor logs.xls) – The information is exported in Microsoft Excel format. including service status messages. To view specific information: 1 Select the filtering criteria using the Settings area and click Update. NTP – Log messages from the network time system. Alerts and Logging Logs The following filter criteria controls are available in the Settings area: Control Description Section Used to select which system log is displayed. IM Proxy – Log messages from the instant messaging proxy service. The following options are available: Authentication service– Log messages from the authentication system. 240 . including service status messages and user authentication audit trail. A single column is displayed containing the time of the event(s) and descriptive messages. Month Used to select the month that log entries are displayed for. Microsoft (tm) Excel (. Update transcript – Displays information on update history. Tab Separated Value – The information is exported separated by tabs. shutdown. Day Used to select the day that log entries are displayed for. You will need an Excel-compatible spreadsheet application to view these reports. VIPRE engine – Displays information on the anti-malware engine. reboot and service status messages. SSH – Log messages from the SSH system. Export format Logs can be exported in the following formats: Comma Separated Values – The information is exported in comma separated text format. SystemD – Log messages from the system super server.Information. Export all dates Exports the currently displayed log for all available dates. Kernel – Log messages from the core Advanced Firewall operating system. Monitor – Displays monitoring system information including service status and alert/ report distribution audit trail. Raw Format – The information is exported without formatting. UPS – Log messages from the UPS system. System – Displays server log information.

The content of each section is discussed below.Smoothwall Advanced Firewall Administrator’s Guide Firewall Logs The firewall logs contain information on network traffic. Month Used to select the month that log entries are displayed for. 241 . Filtering Firewall Logs The following filter criteria controls are available in the Settings area: Control Description Section Used to select which firewall log is displayed. To view the firewall logs: 1 Browse to the Logs and reports > Logs > Firewall page. Day Used to select the day that log entries are displayed for. Compression Used to ghost repeated sequential log entries for improved log viewing.

xls) – The information is exported in Microsoft Excel format. Microsoft (tm) Excel (. Destination Enter an IP address and click Update to display log entries for that destination address. The list of possible sections that can be viewed are as follows: 242 Section Description Main All rejected data packets. Select a port and click Update to display log entries for that port. Tab Separated Value – The information is exported separated by tabs. Export format Logs can be exported in the following formats: Comma Separated Values – The information is exported in comma separated text format. Select a port and click Update to display log entries for that port. You will need an Excel-compatible spreadsheet application to view these reports. Raw Format – The information is exported without formatting. Outgoing audit All traffic leaving from any interface – if Direct outgoing traffic is enabled on the Networking > Settings > Advanced page. Forward audit All traffic passing through one interface to another – if Forwarded traffic is enabled on the Networking > Settings > Advanced page. Port forwards All data packets from the external network that were forwarded by a port forward rule – if port forward logging is enabled on the Networking > Firewall > Port forwarding page. Outgoing stealth All data packets from the internal network zones that were logged but not rejected by an outbound access rule.Information. Outgoing rejects All data packets from the internal network zones that were rejected by an outbound access rule. . Dst port This drop-down list is populated with a list of all destination ports contained in the firewall log. Alerts and Logging Logs Control Description Source Enter an IP address and click Update to display log entries for that source address. Incoming audit All traffic to all interfaces that is destined for the firewall – if Direct incoming traffic is enabled on the Networking > advanced page. Src port This drop-down list is populated with a list of all source ports contained in the firewall log. Export all dates Exports the currently displayed log for all available dates.

The selected source and destination IPs will be automatically added to the IP block list which you can review on the Networking > Filtering > IP block page. 3 Click Add to IP block list. Looking up a Source IP – whois The firewall log viewer can be used to find out more information about a selected source or destination IP by using the whois tool. Destination The IP address of the data packet's intended destination. Out The interface at which the data packet left. Src Port The outbound port number used by the data packet. IPSec Logs IPSec logs show IPSec VPN information. 2 Select a particular source or destination IP in Source and Destination columns. Dst port The inbound port number used by the data packet. Protocol The network protocol used by the data packet. A lookup is performed and the result displayed on the System > Diagnostics > whois page.Smoothwall Advanced Firewall Administrator’s Guide Viewing Firewall Logs To view firewall logs. select the appropriate filtering criteria using the Settings area and click Update. In The interface at which the data packet arrived. 243 . The following columns are displayed: Column Description Time The time that the firewall event occurred. Blocking by IP on page 51 for more information. To use whois: 1 Navigate to the Logs and reports > Logs > Firewall page. 3 Click Lookup. To block a source IP: 1 Navigate to the Logs and reports > Logs > Firewall page. 2 Select one or more source or destination IPs. See Chapter 5. Blocking a Source IP The firewall log viewer can be used to add a selected source or destination IP to the IP block list. Source The IP address of the data packet's sender.

Information, Alerts and Logging
Logs
To access the logs:
1

On Logs and reports > Logs > IPSec.

2

Choose the tunnel you are interested in by using the Tunnel name control.

3

To view the logs for all of the tunnels at once, choose ALL as the tunnel name.

4

After making a change, click Update.

Exporting Logs
To export and download all log entries generated by the current settings, click Export.

Exporting all dates
To export and download all log entries generated by the current settings, for all dates available, select
Export all dates, and click Export.

Viewing and Sorting Log Entries
The following columns are displayed in the Web log region:
Column

Description

Time

The time the tunnel activity occurred.

Name

The name of the tunnel concerned.

Description Log entries generated by the VPN system.
Log entries are displayed over a manageable number of pages. To view a particular page, click its
Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous),
> (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages.
To sort the log entries in ascending or descending order on a particular column, click its Column title
hyperlink. Clicking the currently selected column reverses the sort direction.

244

Smoothwall Advanced Firewall
Administrator’s Guide

Email Logs
Email logs provide detailed, configurable and searchable information on email activity regarding time,
sender recipient, subject and spam status.

Configuring Email Logs
To access and configure email logs:
1

Navigate to the Logs and reports > Logs > Email page. Advanced Firewall displays the currently
configured log entries.

2

Click Advanced, the following options are displayed:

3

Option

Description

Sender

Select to display who sent the email message(s).

Recipient

Select to display who the email message(s) are for.

Subject

Select to display to display the subject line of the email message(s).

Spam

Select to display information on message(s) that have been classified as spam.

Select the options you want to display. Advanced Firewall updates what is displayed.

Monitoring Email Log Activity in Realtime
It is possible to monitor email log activity in realtime.
To monitor email log activity in realtime:
1

On the Logs and reports > Logs > Email page, click Realtime. Advanced Firewall displays the
currently configured log options in realtime in a table of log entries and in the email graph. The results
are updated automatically.

Tip:

To get a closer look at what is happening at a specific time, locate and click on that time in the graph.
Advanced Firewall stops the realtime display and shows what has been logged at the time you
clicked on.

2

To stop realtime monitoring, click Realtime. Advanced Firewall stops displaying realtime data.

245

Information, Alerts and Logging
Logs

Searching for/Filtering Email Log Information
Advanced Firewall enables you to search for/filter information in a number of ways.
To search for/filter information:
1

On the Logs and reports > Logs > Email page, use one or more of the following methods:
Method

Description

Graph

On the graph, locate and click on the time you are interested in. Advanced Firewall
displays what was logged at the time you clicked on.

Time

Click in the date and time picker and specify when to search from. Click Apply.
Advanced Firewall displays the results from the time specified and two hours
forward.

Free search In the Sender, Recipient, Subject and/or Spam column(s), enter one or more search
term
terms. Advanced Firewall displays the search results.

Exporting Email Data
It is possible to export logged data in comma-separated (CSV) format.
To export data:
1

On the Logs and reports > Logs > Email page, configure or search for the data you want export.
For more information, see Configuring Email Logs on page 245 and Searching for/Filtering Email Log
Information on page 246 Information.

2

Click Export. Follow your browser’s prompts to save and export the data.

IDS Logs
The IDS logs contain details of suspicious network activity detected by Advanced Firewall’s intrusion
detection system (IDS).
To view the IDS logs:
1

Navigate to the Logs and reports > Logs > IDS page.

Advanced Firewall displays the results.

246

Option

Select to:

Month

Specify which month you wish to view logs for.

Day

Specify which day you wish to view logs for.

Smoothwall Advanced Firewall
Administrator’s Guide

Option

Select to:

Export format

Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.

Export all dates

Exports the currently displayed log for all available dates.

Exporting Logs
To export logs:
1

Filter the logs to show the information you want to export.

2

Select the export format and if you want to export all dates.

3

Click Export. To save the exported log, use the browser's File, Save As option.

IPS Logs
The IPS logs contain details of suspicious network activity prevented by Advanced Firewall’s intrusion
prevention system (IPS).
To view the IDS logs:
1

Navigate to the Logs and reports > Logs > IPS page.

Advanced Firewall displays the results.
Option

Select to:

Month

Specify which month you wish to view logs for.

Day

Specify which day you wish to view logs for.

247

Information, Alerts and Logging
Logs

Option

Select to:

Export format

Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.

Export all dates

Exports the currently displayed log for all available dates.

IM Proxy Logs
The IM proxy log page displays a searchable log of instant messaging conversations and file
transfers.
To view the IM proxy logs:
1

Browse to Logs and reports > Logs > IM proxy page.

The following settings are available:
Setting

Description

Local user filter Enter the name of a local user whose logged conversations you want to view.

248

Smoothwall Advanced Firewall
Administrator’s Guide

Setting

Description

Enable local
user filter

Select to display conversations associated with the local user name entered.

Remote user
filter

Enter the name of a remote user whose logged conversations you want to view.

Enable remote
user filter

Select to display conversations associated with the remote user name entered.

Enable smilies

Select to display smilies in the conversation.

Enable links

Select to make links in the conversation clickable.

Search

Here you can enter a specific piece of text you want to search for.

Conversations

Enables you to browse conversations by instant messaging protocol, user ID
and date.

Web Proxy Logs
The proxy logs contain detailed information on all Internet access made via the web proxy service. It
is possible to filter the proxy logs using any combination of requesting source IP, and requested
resource type and domain.
To view the web proxy logs:
1

Browse to Logs and reports > Logs > Web proxy page.

Reverse Proxy Logs
The reverse proxy logs contain time, source IP and web site information about requests made using
the reverse proxy service.
To view reverse proxy logs:
1

Browse to the Logs and reports > Logs > Reverse proxy page.

249

Information, Alerts and Logging
Logs

Filtering Reverse Proxy Logs
The following filter criteria controls are available in the Settings area:
Control

Description

Month

Used to choose the month that proxy logs are displayed for.

Day

Used to choose the day that proxy logs are displayed for.

Year

Used to choose the year that proxy logs are displayed for.

Ignore filter

Used to enter a regular expression that excludes matching log entries.
The default value excludes common log entries for image, JavaScript, CSS
style and other file requests.

Enable ignore
filter

Select to enable the filter.

Domain filter

Used to display log entries recorded against a particular domain.
Matching will occur on the start of the domain part of the URL. For example,
www.abc will match www.abc.com and www.abc.net but not match
abc.net.
It is possible to include regular expressions within the filter – for example
(www.)?abc.com will match both abc.com and www.abc.com.

Enable domain
filter

Select to enable the filter.

Export format

Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.

Export all dates

Exports the currently displayed log for all available dates.

Note: When running SSL VPNs in TCP mode, the reverse proxy access logs generated for HTTPS requests
will contain a source address of 127.0.0.1. This is because OpenVPN has to proxy the HTTPS
traffic. Therefore, from Advanced Firewall’s point of view, the traffic is originating from localhost.

Viewing Reverse Proxy Logs
To view proxy logs:
1

250

Select the appropriate filtering criteria using the Settings area and click Update. Proxy logs are
displayed in the Proxy log area. The following columns are displayed:
Column

Description

Time

The time the web request was made.

Source IP

The source IP address the web request originated from.

Website

The URL of the requested web resource.

Smoothwall Advanced Firewall
Administrator’s Guide

User Portal Logs
The User portal log page displays information on users who have accessed user portals.
To view user portal log activity:
1

Browse to the Logs and reports > Logs > User portal page.

Advanced Firewall displays the information.

Configuring Log Settings
Advanced Firewall can send syslogs to an external syslog server, automatically delete log files when
disk space is low and set the maximum log file retention settings.
To configure logging settings:
1

Browse to the Logs and reports > Logs > Log settings page.

2

In the Syslog logging area, select the logging you require.

251

Information, Alerts and Logging
Configuring Log Settings
3

To enable and configure remote logging, configure the following settings:
Setting

Description

Remote syslog

To send logs to an external syslog server, select this setting.

Syslog server

If you have selected the Remote syslog option, enter the IP address of the
remote syslog server.

Default
retention

To set default log retention for all of the logs listed above, select one of the
following settings:
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2 months.
Three months – Rotate the log file monthly and keep the last 3 months.
Four months – Rotate the log file monthly and keep the last 4 months.
Five months – Rotate the log file monthly and keep the last 5 months.
Six months – Rotate the log file monthly and keep the last 6 months.
Seven months – Rotate the log file monthly and keep the last 7 months.
Eight months – Rotate the log file monthly and keep the last 8 months.
Nine months – Rotate the log file monthly and keep the last 9 months.
Ten months – Rotate the log file monthly and keep the last 10 months.
Eleven months – Rotate the log file monthly and keep the last 11 months.
A year – Rotate the log file monthly and keep the last 12 months.

4

Optionally, to set an individual retention period for specific logs, click Advanced and configure the
settings displayed.

5

Click Save. Advanced Firewall will log and retain the information you have specified and, if
configured, send logs to the remote syslog server.

Configuring Other Log Settings
Advanced Firewall enables you to configure retention settings for other logs.
To configure other logs:
1

252

Browse to the Logs and reports > Logs > Log settings page.

Smoothwall Advanced Firewall
Administrator’s Guide
2

In the Other logging area, configure the following settings:
Setting

Description

Default
retention

To set default log retention for all of the logs listed in the table below, select one
of the following settings:
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2 months.
Three months – Rotate the log file monthly and keep the last 3 months.
Four months – Rotate the log file monthly and keep the last 4 months.
Five months – Rotate the log file monthly and keep the last 5 months.
Six months – Rotate the log file monthly and keep the last 6 months.
Seven months – Rotate the log file monthly and keep the last 7 months.
Eight months – Rotate the log file monthly and keep the last 8 months.
Nine months – Rotate the log file monthly and keep the last 9 months.
Ten months – Rotate the log file monthly and keep the last 10 months.
Eleven months – Rotate the log file monthly and keep the last 11 months.
A year – Rotate the log file monthly and keep the last 12 months.

3

4

Click Advanced to see what other logs are available and to determine if you want to set individual
log retention settings.
Setting

Description

Default retention

From the drop-down menu, select the default retention period you want to
use for advanced logging settings. To set individual retention periods,
configure the settings below.

Intrusion
detection logs

From the drop-down menu, select how long you want to keep intrusion
detection logs.

Intrusion
prevention logs

From the drop-down menu, select how long you want to keep intrusion
prevention logs.

IM logs

From the drop-down menu, select how long you want to keep instant
messaging logs.

Click Save. Advanced Firewall will now retain the logs as you have specified.

Managing Automatic Deletion of Logs
Advanced Firewall can be set to automatically delete log files if there is a limited amount of free disk
space available.
To configure automatic log deletion:
1

Browse to the Logs and reports > Logs > Log settings page.

2

In the Automatic log deletion area, configure the settings:
Setting

Description

Delete old logs when free space
is low

Select to automatically delete logs when the specified
amount of disk space has been used.
253

Information, Alerts and Logging
Configuring Groups

3

Setting

Description

Amount of disk space to use for
logging

From the drop-down list, select the level at which Advanced
Firewall will delete logs.

Click Save. Advanced Firewall will delete the logs when the specified amount of disk space has been
used.

Configuring Groups
The Groups page is used to create groups of users which can be configured to receive automated
alerts and reports.

Creating Groups
To create a group of users:
1

Browse to the Logs and reports > Settings > Groups page.

2

Configure the following settings:
Setting

Description

Group name From the Group name drop-down list, select Empty and click Select.
Name
3

4
254

Enter a name for the group.

Click Save. Advanced Firewall creates the group. In the Add user area, configure the following
settings:
Setting

Description

Name

Enter a user's name.

SMS number

If required, enter the user’s SMS number details

Comment

Optionally, enter a description or comment.

Email address

If required, enter the user's email address.

Enable HTML Email

Select if you want emailed reports to be sent in HTML format.

Select Enabled to ensure that the user will receive any reports or alerts that are sent to the group.

Smoothwall Advanced Firewall
Administrator’s Guide
5

Click Add. The user's details will be added to the list of current users in the Current users region.

Editing a Group
To edit a group:
1

Browse to the Logs and reports > Settings > Groups page.

2

Choose the group that you wish to edit using the Group name drop-down list. Click Select to
display the group.

3

Make any changes to the group using the controls in the Add a user and Current users areas.

Deleting a Group
To delete a group:
1

Browse to the Logs and reports > Settings > Groups page.

2

Select the group to be deleted using the Group name drop-down list.

3

Click Delete.

Configuring Output Settings
Reports and alerts are distributed according to Advanced Firewall’s output settings. In order to send
reports and alerts, Advanced Firewall must be configured to operate with mail servers and email-toSMS gateway systems.
To access output settings:
1

Browse to the Logs and reports > Settings > Output settings page.

255

When an email-to-SMS gateway receives an email. %%--%% A special placeholder that indicates that all text following it should be truncated to 160 characters. insert the special %%--%% placeholder at the start of the actual message content. This requires truncation to be enabled (indicated by the Truncate SMS messages to 160 characters option)..com. 256 . each has its own definition of the format that an email should arrive in. Advanced Firewall can be configured to truncate messages – in this mode. In situations where truncation is enabled. the following examples would provide this: %%ALERT%% . all characters past position 155 are removed and the text: .Information. the following configuration would provide this: %%SMS%%@sampleSMS. such additional (yet required) parameter text may force truncation of the actual alert. usually the destination SMS number is placed in the email's subject line.From: %%HOSTNAME%% %%ALERT%% . Alerts and Logging Configuring Output Settings About Email to SMS Output Advanced Firewall generates SMS alerts by sending emails to a designated email-to-SMS gateway. it is necessary to configure Advanced Firewall so that it can format email messages in the format specified by your email-to-SMS gateway service provider. %%HOSTNAME%% The hostname of the Advanced Firewall system (useful when using multiple firewall systems).From: %%HOSTNAME%% (%%DESCRIPTION%%) %%ALERT%% . %%EMAIL%% The recipient's email address. so that any truncation is only applied to the actual alert content. + is appended to the message to indicate that truncation has occurred. Advanced Firewall uses placeholder tags that can be incorporated into an email template. A wide variety of different email-to-SMS gateway services are available.com If the content of the message should be entered in the email message body. For example. the following configuration would provide this: %%ALERT%% Networks with multiple Advanced Firewall systems may wish to include detail of the system that the alert was generated by. While there are a few conventions. The placeholder tags available are as follows: Placeholder Description %%ALERT%% The content of the alert message. it extracts the information it needs and composes an SMS message which is then sent.From: %%DESCRIPTION%% %%ALERT%% -%%HOSTNAME%% %%ALERT%% :%%DESCRIPTION%% (%%HOSTNAME%%) Some email-to-SMS gateways cannot process messages whose content is longer then 160 characters. if an email-to-SMS gateway requires emails to be sent to: <telephone number>@sampleSMS. About Placeholder Tags To allow easy configuration of message formats for different service providers. A further complication is caused by email-to-SMS gateways that require parameters such as usernames and passwords to be set within the email's message body. %%DESCRIPTION%% The description of the Advanced Firewall system (useful when using multiple firewall systems). %%SMS%% The recipient SMS number. To compensate for this. Unfortunately.

Enable SMTP auth Select to use SMTP auth if required. 2 Click Send test. configure the following settings: Setting Description SMTP server Enter the hostname or IP address of the SMTP server to be used by Advanced Firewall. 3 Click Save. Sender's email address field Enter the sender's email address. enter the username. SMS subject line Enter the subject line of the SMS email in the SMS subject line field as specified by your email-to-SMS service provider.Smoothwall Advanced Firewall Administrator’s Guide Configuring Email to SMS Output To configure Advanced Firewall's SMS settings: 1 Browse to Logs and reports > Settings > Output settings. This would typically be a valid email address reserved and frequently checked for IT administration purposes. Username If using SMTP auth. SMS message body Enter additional parameters and the content of the alert message. 2 In the Email to SMS Output System area. 257 . Testing Email to SMS Output To test the output system: 1 In the Send test to: field. If the truncation is required from a particular point onwards. This will often contain the %%SMS%% placeholder as many email-toSMS gateways use the subject line for this purpose. This may be a regular email address. SMS to address Specify the formatting of the email's To: address according to the format required by your service provider. Password If using SMTP auth. 2 In the SMTP (Email) Output System area. This might also be an email address that is registered with your email-to-SMS gateway provider. enter the cell phone number of the person who is to receive the test. Output to Email To configure email settings: 1 Browse to Logs and reports > Settings > Output settings. or it may require additional placeholders such as %%SMS%% to identify the destination of the SMS. Truncate SMS messages to 160 characters Select if you want the content of SMS message body to be truncated to 160 characters or if your email-to-SMS gateway service provider instructs you to do so. use the %%--%% placeholder to indicate its start position. enter the password. configure the following settings: Setting Description SMTP server Enter the hostname or IP address of the SMTP server to be used by Advanced Firewall.

Click Save. This might also be an email address that is registered with your email-to-SMS gateway provider. This would typically be a valid email address reserved and frequently checked for IT administration purposes. enter the username. 3 Enable SMTP auth Select to use SMTP auth if required. enter the password. Password If using SMTP auth.Information. Generating a Test Alert To generate a test alert: 1 Configure Email to SMS output and/or SMTP (Email) output. 258 . 2 Click Generate test alert. Alerts and Logging Configuring Output Settings Setting Description Sender's email address Enter the sender's email address. Username If using SMTP auth.

hardware failover and firmware settings • Producing diagnostic files • Managing certificates. Smoothwall’s support systems are directly integrated with Advanced Firewall’s system update procedure. Advanced Firewall must be connected to the Internet in order to discover.Chapter 13 Managing Your Advanced Firewall In this chapter: • Installing system and security updates • Managing module installations and product licensing • Creating and restoring archives • Scheduling automatic maintenance • Shutting down and restarting • Setting system preferences • Configuring administration and access settings • Managing tenants • Configuring UPS devices. Installing Updates The following section explains how to install updates. see Installing Updates on a Failover System on page 260 for information on how to proceed. System updates may also include general product enhancements as part of Smoothwall’s commitment to continuous product improvement. Note: If Advanced Firewall is configured for failover. download and install system updates. Updates are typically released in response to evolving or theoretical security threats as they are discovered. Installing Updates Administrators should use Advanced Firewall's update facility whenever a new update is released. allowing the Smoothwall support department to track the status of your system. modems. 259 .

Managing Your Advanced Firewall Installing Updates To install updates: 1 Navigate to the System > Maintenance > Updates page. Once they have been installed. If the update requires a reboot. reboot the failover unit. reboot the system on the System > Maintenance > Shutdown page. Clear download cache Click to clear any downloaded updates stored in the cache. 4 On the System > Maintenance > Shutdown page. install the updates on the master and reboot. Download updates Click to download all available updates. 2 Wait until the updates have been transferred to the failover unit. During master downtime. This should happen within 5 minutes. Once downloaded. To install updates on a failover system: 1 On the master’s System > Maintenance > Updates page. 2 Configure the following settings: 3 Setting/button Description Refresh update list Click to get a list of available updates. download the updates. Any updates available will be listed in the Available updates area. the updates are listed in the Pending updates area. Installing Updates on a Failover System The following section explains how to install updates on a failover system. 3 Go to the failover unit’s web interface and install the pending updates. the failover unit is active and remains so until the master is live again. the failover unit displays information on the update and prompts for a reboot. Following theses steps ensures the correct application of all pending updates and also performs a failover test between the master and the failover unit. 5 When the failover unit is up and running again. 260 . Install updates Click to install all updates in the Pending updates area immediately Install at this time Enter the time at which you want to install the updates if you do not want to install them immediately and click Install at this time.

Note: Some module installations require a full reboot of Advanced Firewall. To install a module: 1 Navigate to the System > Maintenance > Modules page. Advanced Firewall must be connected to the Internet in order to install modules. For further information. as yet un-discovered. if purchased directly.Smoothwall Advanced Firewall Administrator’s Guide Managing Modules Advanced Firewall's major system components are separated into individually installed modules. 3 Reboot Advanced Firewall on the System > Maintenance > Shutdown page. locate the module and click Install. Note: The information displayed depends on the product series you are using. Please read the module description carefully prior to installation. please consult your Smoothwall partner or. 2 In the Installed modules area. 261 . Modules can be added to extend Advanced Firewall’s capabilities. Note: Modules must be registered against your Advanced Firewall serial number before they can be installed and used. or removed in order to simplify administration and reduce the theoretical risk of. Removing a Module To remove a module: 1 Navigate to the System > Maintenance > Modules page. security threats. 2 In the Available modules area. Smoothwall. locate the module and click Remove.

Installing Licenses You can buy additional licenses from Smoothwall or an approved Smoothwall partner. Note: The Subscriptions area is used to manage blocklists used by add-on modules. To install additional licenses: 1 Navigate to the System > Maintenance > Licenses page. initiated via a secure request to Smoothwall licensing servers. and any new licenses will be installed. They can also be used to create clones of existing systems. see the documentation delivered with your Smoothwall add-on module. Archives The Archives page is used to create and restore archives of system settings.Managing Your Advanced Firewall Licenses Licenses Advanced Firewall contains information on licenses and subscriptions. 2 Click Refresh license list. This will cause the available license information to be updated via the Internet. installation and activation is an automated process. To view license information: 1 Navigate to the System > Maintenance > Licenses page. License. For more information. Note: The information displayed depends on the Smoothwall product you are using. Archives can be saved on removable media and used when restoring a Advanced Firewall system. 262 .

Profiles are also used to store settings for Smoothwall replication systems. Centrally Managing Smoothwall Systems on page 291. Indicates that the setting can be replicated. see Chapter 14. select Empty and click Select. Comment Enter a description for the archive. Settings Settings available include general settings for Advanced Firewall and replicable settings which can be used in a Smoothwall system. Profile name Enter a name for the profile. see Scheduling on page 264. Downloading an Archive To download an archive: 1 In the Archives area. For further information. About Archive Profiles You can assign a profile to an archive enabling you to specify which components you want backed up in a particular archive. Automatic backup Select if you want to archive settings automatically. 263 . from the drop-down list. from the drop-down list select the profile and click Select. 2 Click Download and save the archive to disk using the browser's Save as dialog box. Note: You can automatically schedule the creation of backup archives. select the archive. For more information. Centrally Managing Smoothwall Systems on page 291 Logs 3 Select the log files you want to archive or select All to select and archive all logs. You can create and assign up to 20 profiles and generate their archives automatically. Select the components you want to archive or select All to select and archive all settings.Smoothwall Advanced Firewall Administrator’s Guide Tip: Log on to our support portal and read how to set up a Windows SSH server with keys in order to backup system settings. Click Save and backup to create the archive. For more information on replication in Smoothwall systems. To reuse or modify an existing profile. Creating an Archive To create an archive: 1 Navigate to the System > Maintenance > Archives page. 2 Configure the following settings: Settings Description Profile To create a new profile. see Chapter 14.

select the archive. You can also use the scheduler to create and remotely archive automatic backups. 3 Click Upload to upload the archive. Scheduling You can configure Advanced Firewall to automatically discover and download system updates. Deleting Archives To delete an archive: 1 In the Archives area. 3 Select the components in the archive that you want to restore and click Restore. 2 Click Restore. modules and license upgrades using the scheduler.Managing Your Advanced Firewall Scheduling Restoring an Archive To restore an archive: 1 In the Archives area. enter the name of the archive and click Browse. To upload an archive: 1 In the Upload area. select the archive and click Delete. Uploading an Archive This is where you upload archived settings from previous versions of Advanced Firewall and Smoothwall modules so that they can be re-used in the current version(s). Other system modules can integrate with the scheduler to provide additional automated maintenance tasks. The archive contents are displayed. 264 . 2 Navigate to and select the archive.

265 . Hour From the drop-down list. 2 Configure the following settings: Setting Description Day From the drop-down list. select the day of the week that the tasks will be executed. Check for new updates Select to check for new system updates. Check for new modules Select to check for new modules.Smoothwall Advanced Firewall Administrator’s Guide To create a schedule of tasks: 1 Navigate to the System > Maintenance > Scheduler page. Check for license upgrades Select to discover and install license upgrades. Download updates Select to download available updates. select the time of day at which the tasks will be executed.

5 Click Add. click Export Public Backup Key. The SSH server must be configured to accept connections from Advanced Firewall in this manner – it requires the public half of the key pair to be installed. 3 Click Save. Over a month – Select this option to prune archives that are older than one month. This control is useful for preventing the automatic remote archiving system adversely affecting the performance of other network traffic. Over 2 months – Select this option to prune archives that are older than two months. Server Set the IP address of the SSH server. Over 3 months – Select this option to prune archives that are older than three months. Remote path Enter the path where archives are to be stored on the remote SSH server. enter the following information: Setting Description Name Enter a name to identify this destination. Advanced Firewall uses the default home directory of the specified remote user. 6 Repeat the steps above to make other destinations available. for example: /home/mypath/ If left blank. Transfer Speed Limit Specify the maximum transfer speed when automatic archiving occurs. To schedule remote archiving: 1 Navigate to the System > Maintenance > Scheduler page. 2 In the Remote archive destinations area. 4 In the Remote archive destinations area. For additional security it is recommended that this user has no additional privileges and is only allowed write access to the specified Remote path. 3 Install the public key on the remote SSH server – for details on how to do this. Port Number Set the port number used to access the SSH server (normally port 22).Managing Your Advanced Firewall Scheduling Setting Description Prune archives Options here enable you to schedule archive pruning if you require it. Select one of the following options: Don’t prune – This is the default option. Scheduling Remote Archiving Scheduled remote archiving uses SSH keys to allow Advanced Firewall to securely copy files to a remote SSH server without the need for passwords. please consult the administrator's guide of the SSH server in use. Comment Enter a description of the destination. archives are never pruned. Username Specify the user name of the account on the SSH server that will be used. 266 . The use of SSH keys requires Advanced Firewall to generate a key pair which it will use to encrypt all file transfers sent to the SSH server.

8 Click Add. select a destination as configured in the Remote archive destinations area. Comment Enter a description of the archive. Editing Schedules To edit a schedule: 1 In the appropriate area. select the length of time. Delay action for Select to shut down or reboot after a specified length of time. 267 . From the drop-down menu. Hour The hour of the day to carry out the archive. Archive profile From the drop-down list. 9 Repeat the steps above to configure other archives for scheduled remote archive. after a specified delay or at a predetermined time. Archive destination From the drop-down list. select an archive profile as configured on the archives page. Enabled Select to enable the archive. enter the following information: Setting Description Day The day of the week to carry out the archive. Shutting down and Rebooting Advanced Firewall can be shutdown or restarted immediately. To shut down or reboot: 1 Browse to the System > Maintenance > Shutdown page. Note: A local copy of the archive is also created and stored. select the destination or task and click Edit or Remove. 2 Configure the following settings: Setting Description Immediately Select to shut down or reboot immediately.Smoothwall Advanced Firewall Administrator’s Guide 7 In the Remote archival area.

Managing Your Advanced Firewall Setting System Preferences 3 Setting Description At the following time Select to shut down or reboot at a specified length of time. 3 268 System control page From the Report to show drop-down list. enter a description to identify Advanced Firewall. Dashboard sections Determines what. Click Save. select the report you want displayed on the Dashboard. Click Reboot to reboot at the specified time. information is displayed in the System Services area on the Dashboard. The main changes that can be made are the method of displaying errors and the drop-down list navigation system. To configure the user interface: 1 Browse to the System > Preferences > User interface page. Configuring the User Interface Advanced Firewall can be customized in different ways. This will be displayed in the title bar of the browser window. if any. . depending on how you prefer working. time settings and a web proxy if your ISP requires you use one. From the drop-down menu. 2 Configure the following settings: Setting Description Host information In the description field. It is also possible to alter the system's description. select the hour and minute at which to shut down or reboot. or click Shutdown to shut down at the specified time Setting System Preferences The following sections discuss how to configure the user interface.

Time and date Network time retrieval To manually set the time and date: 1 Select Set and use the drop-down lists to set the time and date. 2 Configure the following settings: Setting Description Timezone From the drop-down list. 2 Choose the time retrieval frequency by selecting an interval from the Interval drop-down list. date and time settings can be specified manually or automatically retrieved from a local or external Network Time Protocol (NTP) server. 3 Select Save time to RTC to ensure that the time is written back to the system's hardware clock (the Real-Time Clock). To set the time: 1 Navigate to the System > Preferences > Time page. typically located on the Internet. 269 . Advanced Firewall can also act as an NTP server itself. allowing network wide synchronization of system clocks. 4 Choose one of the following network retrieval methods: Multiple random public servers – select to set the time as the average time retrieved from five random time servers Selected single public server –select from the drop-down list a public time server to use to set the time User defined single public or local server – Enter the address of a specific local or external time server. select the appropriate time zone. To automatically retrieve time settings: 1 Select Enabled in the Network time retrieval area.Smoothwall Advanced Firewall Administrator’s Guide Setting Time Advanced Firewall's time zone.

and optionally. proxy Username – Enter the username provided by your ISP. 2 Select each internal network interface that the network time service should be available from. interfaces To synchronize the network time service: 3 1 Enable network time retrieval. Configuring Registration Options Advanced Firewall enables you to use an upstream registration proxy if your ISP requires you to use one.Managing Your Advanced Firewall Setting System Preferences Setting Description Network Advanced Firewall can be used to synchronize the system clocks of local network time service hosts by providing a time service. 2 Configure the following settings: Setting Description Server – Enter the hostname or IP address of the proxy server. Upstream registration Port – Enter the port number to use. supply information about the status of your system and web filtering statistics. To configure registration options: 1 Navigate to the System > Preferences > Registration options page. Note: The upstream proxy has no bearing on Advanced Firewall proxy services. 270 . Click Save. Password – Enter the password provided by your ISP.

Note: No usernames. To change the hostname: 1 Browse to the System > Preferences > Hostname page. information When this option is enabled and depending on which add-on modules are installed. Advanced Firewall starts to use the configured upstream proxy and. send registration and/or filtering information. Provide filtering feedback information 3 When enabled. 271 . Advanced Firewall will periodically send information about web filtering accuracy and a list of the domains of any web sites which could not be classified.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Extended When registering. subscription and add-on modules to Smoothwall. Smoothwall will take every available measure to ensure data cannot be associated with your organization and no personal information is ever sent. 2 Enter a new value in the Hostname field and click Save. Advanced Firewall registration sends information about licences. the following information is also sent: • Enabled status for optional services • The number of configured interfaces and whether they are internal or external • Authentication service settings and the LDAP server type • Guardian transparent mode and authentication service settings mode • Manufacturer name and product name – from dmidecode • Main board manufacturer and main board product name – from dmidecode. Configuring the Hostname You can configure Advanced Firewall’s hostname. updating and/or installing add-on modules. Click Save. A hostname should usually include the name of the domain that it is within. if enabled. a reboot is required before the HTTPS server will use the hostname in its Common Name field. passwords or sensitive information are sent and any potentially identifying data is summarized before sending. Note: After setting the hostname.

and not some third party web page. Referral Checking In order to ensure that configuration requests from the web interface originate from a logged in administrator. the local hostname.Managing Your Advanced Firewall Configuring Administration and Access Settings Configuring Administration and Access Settings The following sections discuss administration. To permit access to the console via SSH: 1 Navigate to the System > Administration > Admin options page. When enabled. external access and account settings. 2 Select SSH and click Save. To access Advanced Firewall via remote SSH. Configuring Admin Access Options You can enable and disable remote access to Advanced Firewall’s console via Secure Shell (SSH) and configure remote access referral checking. you can enable remote access referral checking. administration requests are only processed if the referral URL contains the local IP address. 272 . Note: Terminal access to Advanced Firewall uses the non-standard port 222. the following criteria must be met: • The host must be from a valid network zone • The host must be from a valid source IP • The SSH service must be enabled • Admin access must be set to enabled • The setup or root username and password must be known. or the external IP address where applicable.

networks and host systems can be used to administer Advanced Firewall. This default rule allows administrators to access any of the following admin services: • SSH admin – Access to the system console using port 222.Smoothwall Advanced Firewall Administrator’s Guide If the referral is not from a Advanced Firewall page. To enable external access: 1 Browse to the System > Administration > External access page. Note: This function prevents Advanced Firewall from being accessed remotely via a DNS or a Dynamic DNS address. 2 Configure the following settings: Setting Description Interface From the drop-down list. the referral URL check must be disabled. 3 Click Save. see Configuring Admin Access Options on page 272. The default external access rule allows administrators to access and configure Advanced Firewall from any source IP that can route to the system's first (default) network interface. 273 . To enable referral checking: 1 Navigate to the System > Administration > Admin access page. To remotely manage an Advanced Firewall system via a DNS or a Dynamic DNS address. 2 Select Allow admin access only from valid referral URLs in the Remote Access area. the request is ignored and reported in the general Smoothwall log file. select the interface that access is permitted from. Configuring External Access External access rules are used to determine which interfaces. • HTTPS admin – Access to the web-based interface on port 441. • HTTP admin – Access to the web-based interface on port 81. Requires the SSH access to be enabled. services.

Passwords are case sensitive and must be at least six characters long.10.0/24.1192. Administrative User Settings Advanced Firewall supports different types of administrative accounts.168. Comment Enter a description for the access rule.0 or 192. For a particular subnet of hosts. To manage accounts: 1 Navigate to the System > Administration > Administrative users page. enter an IP address range.168.Managing Your Advanced Firewall Configuring Administration and Access Settings Setting Description Source IP. use Edit and Removes in the Current rules area.255. it provides access to the default internal network.168. any source IP can access the system. enter a subnet range.255. Enabled Select to activate access. or network Specify individual hosts. . Note: Do not remove the default external access rule. For a range of hosts. The access rule is added to the Current rules table. Password Enter a password. ranges of hosts or subnet ranges of hosts that are permitted to use admin access. If no value is entered. Click Add.50.10. for example. Editing and Removing External Access Rules To edit or remove access rules. 192. 2 Configure the following settings: 274 Setting Description Username Enter a name for the user account. for example.10.0/255. 192.10. 3 Service Select the permitted access method.168.

Log – Permission to view the system log files.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Again Re-enter the password to confirm it. For more information. 2 In the Current users area. Contact your Smoothwall representative for more information. Administrator – Full permission to access and configure Advanced Firewall. see Chapter 10. Realtime logs – Permission to view realtime logs. Advanced Firewall’s multi-tenancy functionality enables you to define client-organizations – known as tenants – which can access and use Advanced Firewall services. Managing Tenants Note: To add tenants. see Chapter 7. Adding a Tenant Note: When you add tenants to Advanced Firewall. Operator – Permission to shutdown or reboot the system. For information on tenants and directories. 3 Enter and confirm the new password in the Password and Again fields. Reporting system – Permission to access the reporting system. Changing a User's Password To set or edit a user's password: 1 Browse to the System > Administration Administrative users page. Portal User – Permission to access the user portal pages. 3 Click Add to add the account. 275 . 4 Click Add to activate the changes. Rule editor user – Permission to edit networking outgoing policies ports and external services. Permissions Select the account permissions you want to apply to the account. you must have the correct Advanced Firewall license type. Multi-tenancy enables Advanced Firewall to apply network permissions to users whose usernames are not unique. Each tenant has its own directory server(s) and users. select the user and click Edit. SMTP quarantine – Permission to access and manage the SMTP quarantine pages. Configuring Directories on page 195. Managing Outbound Traffic and Services on page 72. connections coming from addresses not associated with a tenant will be unable to authenticate. Temp ban – Permission to access and change temporary ban status.

Advanced Firewall deletes the tenant. 3 In the Add new tenant dialog box. IP address range Enter the tenant’s IP address. point to the tenant and click Edit. Advanced Firewall adds the tenant. 3 Click Save changes. 2 When prompted.Managing Your Advanced Firewall Hardware To add a tenant: 1 Browse to the System > Administration > Tenants page. click Delete. 5 Repeat the steps above for any other tenants you want to add. subnet or range. Tenant addresses cannot overlap. Editing a Tenant To edit a tenant: 1 On the System > Administration > Tenants page. Deleting a Tenant To delete a tenant: 1 On the System > Administration > Tenants page. Hardware The following sections discuss how to configure UPS devices. 2 In the Edit tenant dialog box. point to the tenant and click Delete. Advanced Firewall applies the changes. 4 Click Add. make the changes you require. See Adding a Tenant on page 275 for information on the settings available. 276 . modems and firmware settings. Note: An address can only be used by a single tenant. configure the following settings: Setting Description Name Enter a name to identify the tenant. 2 Click Add new tenant.

After a set time of being Select to specify how long to wait before shutting down Advanced on battery Firewall when on running on UPS battery. 3 On the System > Maintenance > Shutdown page. Configuring UPS Devices UPS devices can be configured to use the following types of connections: 277 . Delay before shut down – Enter how long in minutes to wait before shutting down Advanced Firewall. Advanced Firewall applies the shut down condition. 3 Click Save changes. reboot immediately. To configure the global shut down condition: 1 Browse to the System > Hardware > UPS page. if ever. When all remaining UPS Select to shut down Advanced Firewall when all currently connected are at low battery UPS devices are at low battery levels.Smoothwall Advanced Firewall Administrator’s Guide Managing UPS Devices Uninterruptible Power Supply (UPS) device(s) physically connected to Advanced Firewall provide emergency power to Advanced Firewall if the mains power supply fails. a Advanced Firewall connected to a UPS device should shut down. UPS Connection Prerequisites Before you start configuring Advanced Firewall to use a UPS device: 1 Follow the documentation delivered with your UPS device to prepare it for use. 2 Connect the UPS device to Advanced Firewall. Once rebooted. 2 Select when Advanced Firewall should shut down: Setting Description Never Select to never shut down Advanced Firewall. Configuring the Global Shut Down Condition The global shut down condition determines when. you are ready to start configuring the UPS device.

In the Add new UPS dialog box. Manufacturer From the drop-down lists. click Add new UPS. configure the following settings: Setting Description Name Enter a name for the UPS device. in the Connected UPS area. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. see Configuring a UPS Device with an SNMP Connection on page 278 • SNMP – connects to Advanced Firewall via an HTTP connection. Port From the drop-down list. for more information. Click Add. . select the port the USP device uses. select the UPS device’s manufacturer and model. click Add new UPS. Configuring a UPS Device with a Serial Connection To configure a serial connection: 1 2 On the System > Hardware > UPS page. in the Connected UPS area. for more information. For more information. For more information. Enabling Alerts on page 229. click Add new UPS. see Chapter 12. Configuring a UPS Device with a USB Connection To configure a USB connection: 1 2 On the System > Hardware > UPS page. It is also possible to configure an alert which is triggered when power switches to and from mains supply. Configuring a UPS Device with an SNMP Connection To configure an SNMP connection: 1 278 On the System > Hardware > UPS page. UPS connection Select Serial. IP address Enter the IP address that the UPS device will use. UPS connection Select USB. In the Add new UPS dialog box. in the Connected UPS area. for more information. for more information. see Configuring a UPS Device with a USB Connection on page 278 • Serial – connects to Advanced Firewall via a serial connection.Managing Your Advanced Firewall Hardware • USB – connects to Advanced Firewall via a USB connection. see Configuring a UPS Device with a Serial Connection on page 278 • SNMP – connects to Advanced Firewall via an SNMP connection. In the Add new UPS dialog box. Advanced Firewall also makes information about UPS devices available on the System > Central management > Overview page. UPS connection Select SNMP. Accessing the Node Details Page on page 298. configure the following settings: Setting Description Name Enter a name for the UPS device. SNMP community Enter the UPS device’s SNMP community string. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. Click Add. configure the following settings: Setting Description Name Enter a name for the UPS device. see Chapter 14. see Configuring a UPS Device with an HTTP Connection on page 279.

in the Connected UPS area. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. How does it work? When configured and enabled. configure the following settings: Setting Description Name Enter a name for the UPS device. See Configuring UPS Devices on page 277 for information on the settings available. enter the user name to be used to connect the device to Advanced Firewall. in the event of hardware failure. Password If required. 2 In the Edit UPS dialog box. the failover Advanced Firewall runs in a standby mode monitoring the master Advanced Firewall for a heartbeat communication.net for more information. enter the password to be used to connect the device to Advanced Firewall. Note: Hardware failover is not included as standard with Advanced Firewall – it must be licensed separately. Contact an authorized Smoothwall partner or visit www. Advanced Firewall changes the settings and lists the device in the Connected UPS area. Click Add. Confirm If required. Heartbeat is the name of a suite of 279 . UPS connection Select HTTP. 3 Click Save changes. Username If required. Deleting UPS Devices To delete a UPS device: 1 On the System > Hardware > UPS page. point to the device you want to delete and click Delete. make the changes required. point to the device you want to edit and click Edit. 2 When prompted. Configuring a UPS Device with an HTTP Connection To configure an HTTP connection: 1 2 On the System > Hardware > UPS page. In the Add new UPS dialog box. Editing UPS Devices To edit a UPS device’s settings: 1 On the System > Hardware > UPS page. Advanced Firewall deletes the device and removes it from the list in the Connected UPS area. IP address Enter the IP address that the UPS device will use. Advanced Firewall adds the UPS device and lists it in the Connected UPS area.Smoothwall Advanced Firewall Administrator’s Guide 2 Click Add. re-enter the password to be used to connect the device to Advanced Firewall. Managing Hardware Failover Advanced Firewall’s hardware failover enables you to configure a failover Advanced Firewall system which.smoothwall. click Delete to confirm that you want to delete the device. click Add new UPS. provides all the protection and services your master Advanced Firewall usually provides.

This stage is designed principally to cope with intermittent failures within the communication system. Since part of this information includes the IP addresses for each of the master interfaces. assuming that autofailback is enabled. Once the dead time has expired. de-activates its configuration and services and returns to standby mode. When the master starts to respond again. 280 . such a heavily loaded master. The failover unit then enters a more responsive mode where it monitors the master for its revival. It remains in this mode for the length of dead time you have configured. and above all the same type and number of network interface cards • The failover unit must be plugged into all the switches the master is plugged into • SSH must be enabled on the master. be it minutes. The master periodically copies settings to the failover unit to ensure that the failover unit can provide a fully configured service if the master fails. RAM. the failover unit will essentially provide a drop-in replacement and the transition will generally go unnoticed. If the master fails. installing Advanced Firewall and deploying the failover archive. Note: Settings are copied intermittently and it is theoretically possible that the failover unit will be a few minutes behind configuration changes made to the master. specifying a network interface for the heartbeat and configuring and generating a failover archive to deploy on the failover unit • On the failover unit. see Configuring Admin Access Options on page 272 for more information. the failover unit awakens from its standby mode and begins reinstating the settings and services which allow it to take over operations from the master. Prerequisites The following must be in place for hardware failover to work: • A private network consisting of only two Advanced Firewall systems connected via their heartbeat interfaces preferably using a crossover cable • The master and failover unit should both use the same types of hard disk drives. This will occur somewhere between 0 seconds and the keep-alive time specified when configuring failover. days or weeks later. Configuring Hardware Failover Configuring hardware failover entails: • On the master.Managing Your Advanced Firewall Managing Hardware Failover services and configuration options that enable two identical Advanced Firewall systems to be configured to provide hardware failover. it stops responding to the failover unit’s heartbeat and the failover unit therefore determines that the primary system is no longer available. the failover unit hands over control to the master.

For these reasons. 281 . Use as Select Heartbeat interface. 3 In the Edit interface dialog box. 2 Point to the interface to be used by the hardware failover master and failover unit systems to communicate with each other and click Edit. Note: The master and failover unit systems are connected via their heartbeat interfaces on a private network. Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat interface is on could fail. It is critically important that this network is not congested and suffers as little latency as is possible. we strongly recommend that this connection be a crossover cable.Smoothwall Advanced Firewall Administrator’s Guide Configuring the Master To configure the master Advanced Firewall: 1 Navigate to the Networking > Interfaces > Interfaces page. configure the following settings: Setting Description Name Accept the default name or enter a custom name.

consult the documentation supplied by your ISP and modem supplier. In non-congested networks. Note: We recommend that this network be private and only used by the master and failover units. The failover unit will hand over control to the master. Netmask Enter a netmask. The default is 1 second. 5 Navigate to the System > Hardware > Failover page. 4 Click Save changes. For more information about whether MAC spoof settings are required. 6 Configure the following settings: Setting Description Enabled Select to enable failover. . Auto failback Select if you want the failover unit to automatically hand back control to the master when the master starts to respond after a hardware failure. Master heartbeat IP Enter an IP address for the master. MTU Optionally. enter a spoof MAC if required. deactivate its configuration and services and return to standby status. Note: We recommend that this network be private and only used by the master and failover units.Managing Your Advanced Firewall Managing Hardware Failover Setting Description Spoof MAC Optionally. enter the maximum transmission unit (MTU) value required in your environment. Note: We recommend that this network be private and only used by the master and failover units. 7 282 Click Save. Slave heartbeat IP Enter an IP address for the failover unit. we recommend a very short interval which is undetectable in terms of system performance. Keep-alive internal Set the interval after which the master and failover unit communicate to ensure the master is still working. Dead time Specify how long after the failover unit has become aware that the master is no longer responding it should wait before taking over from the master. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly.

Generating a Failover Archive A failover archive contains the settings required to configure the failover unit to provide hardware failover for Advanced Firewall. The failover settings are installed. 50 M bytes is an average size. To generate a failover archive: 1 Navigate to the System > Hardware > Failover page and configure and save the failover settings. The next step is to generate the failover archive to deploy on the failover unit. The next step is to use the archive to implement the failover settings on the failover unit. Administering Failover There are no noticeable differences between administering Advanced Firewall used as a master and one which is not used as a master. The failover unit will reboot and automatically enter standby mode. SeeConfiguring the Master on page 281. see Installing Updates on a Failover System on page 260. Wait a couple of minutes for the system to reboot and then log in again. select Immediately and click Reboot. 5 When prompted. from time to time. Note: The size of the failover unit archive varies depending on the Smoothwall modules installed. 3 Insert the media and press Enter. However. you will need to install updates. See the Advanced Firewall Installation and Setup Guide for more information. On the following screen: 1 Select Yes and press Enter. Implementing Failover Settings on the Failover Unit Implementing failover on the failover unit entails running the setup program and using the restore options to apply the settings. press Enter to reboot the failover unit. 2 Select the type of media the archive is stored on and press Enter. You are prompted to insert the media. Note: For information on installing updates in failover units.Smoothwall Advanced Firewall Administrator’s Guide 8 Browse to the System > Maintenance > Shutdown page. 3 Save the archive on some suitable removable media accessible by the failover unit. 2 Click Generate slave setup archive. 4 Select the archive and press Enter. 283 . There should be little or no need to administer the failover unit on a day to day basis. Advanced Firewall generates the archive and prompts you to specify where to save it. To implement failover on the failover unit: 1 Install Advanced Firewall using the quick install option.

Configuring Modems Advanced Firewall can store up to five modem profiles. To test failover: 1 On the master. as when in standby mode the failover unit has no effective presence on any of the local or remote networks.168.cgi All communications with the user interface on the failover unit are via HTTPS and on port 440 instead of port 441.72.72. Manual Failback In configurations where Auto failback is not enabled. Accessing the Failover Unit With failover implemented. 2 To restore operations to the master. go to the System > Hardware > Failover page and click Enter standby mode. To manually failback: 1 On the failover unit. the address would be: https://192.168.142:441/cgi-bin/admin/updates. After a short period of time the failover unit will take over from the master.cgi To access the settings on the failover unit. rebooting the master will also return it to active service and force the failover unit into standby mode.168. when the failover unit is in active operation. The address used. you can force the master to enter standby mode.Managing Your Advanced Firewall Configuring Modems Updates are not automatically applied in order to ensure that the failover unit can provide a known good system to failover to in case of any issues resulting from updates to the master. go to theSystem > Hardware > FailoverFailover page and click Enter standby mode. When you need to access the failover unit directly you can do so using a variation of the address for master. on the active system. whether services and protection are being supplied by the master or the failover unit. go to the System > Hardware > Failover page and click Enter standby mode to restore the system to normal operation.142. 284 . the active Advanced Firewall system is always accessed via the usual address. Operations will be transferred to the master. in the example above: 192. For example.142:440/cgi-bin/admin/updates.72. is the address of the master. Testing Failover In order to test failover. but the master system has become available again after corrective action has been taken you can manually failback to the master. Note: If Auto failback is enabled. to access the master's Update page the address would usually look as follows: https://192.

Modem speaker on Select to enable audio output during the modem dialing process. Click Save to save your settings and create the profile. Computer to modem Select the connection speed of the modem. Interface Select the serial port that the modem is connected to. 3 Init Enter the commands required to initialize the modem. select Empty to create a modem profile. if the modem has a speaker. Connect timeout Enter the amount of time in seconds to allow the modem to attempt to connect. Speaker off Enter the commands required to turn the speaker off. Speaker on Enter the commands required to turn the speaker on. 2 Configure the following settings: Setting Description Profiles From the drop-down list.Smoothwall Advanced Firewall Administrator’s Guide To configure a modem profile: 1 Browse to the System > Hardware > Modem page. 285 . Hangup Enter the commands required to end a connection. Profile name Enter a name of the modem profile. Dialing mode Select the dialing mode. Pulse dial Enter the commands required to turn pulse dialing on. Pulse – Select if your telephone company supports pulse dialing. Tone – Select if your telephone company supports tone dialing. A standard 56K modem is rate usually connected at the default 115200 rate. Tone dial Enter the commands required to turn tone dialing on.

To upload and install the Alcatel firmware: 1 Navigate to the System > Hardware > Firmware upload page. gateways are ping-ed and network routing is tested to make sure your current settings are not likely to cause problems.o file to the system. Note: Once this process has been completed. Configuration Tests The Configuration tests page is used to ensure that your current Advanced Firewall settings are not likely to cause problems. IP tools and traffic analysis. For example. 3 Use the browser's Open dialog to find and open the mgmt. Alcatel SpeedTouch USB ADSL modems will not work. the system must be rebooted before the new firmware is activated.Managing Your Advanced Firewall Installing and Uploading Firmware Installing and Uploading Firmware Advanced Firewall can upload the third-party mgmt. Components installed on your Advanced Firewall add tests to this page which. highlight problem areas. 286 . DNS resolution is checked.o firmware update file. when run. Without this file. Diagnostics The following sections discuss configuration tests. 4 Click Upload to upload the firmware update. Note: The 330 version of this modem also requires its own firmware update to function correctly. 2 Click Browse adjacent to Upload file field. diagnostics.

Modules Select All to include all modules. 287 . save the results in a suitable location for review.Smoothwall Advanced Firewall Administrator’s Guide To test your configuration: 1 Navigate to the System > Diagnostics > Configuration tests page. When prompted. 2 Click Perform tests. 2 Configure the following settings: 3 Setting Description System Select All to include all system components. Generating Diagnostics Advanced Firewall provides diagnostics facilities. Click Generate. or individually select the components you want to include in the diagnostics results. The results are displayed in the Details area. To generate a diagnostics file: 1 Navigate to the System > Diagnostics > Diagnostics page. typically used to provide Smoothwall support engineers with complete system configuration information to aid problem solving. or individually select the modules you want to include in the diagnostics results.

4 Click Run. both from Advanced Firewall to computers on its local networks and to hosts located externally on the Internet. There are two IP Tools: • Ping Ping establishes that basic connectivity to a specified host can be made. • Traceroute Traceroute is used to reveal the routing path to Internet hosts. Using Traceroute To use Traceroute: 1 Navigate to the System > Diagnostics > IP tools page. A major use for this is to determine the source of requests appearing in the firewall or Detection System logs. It is of course. more convenient to run them from this page. Whois Whois is used to display ownership information for an IP address or domain name.Managing Your Advanced Firewall Diagnostics IP Tools The IP tools page is used to check connectivity. shown as a series of hops from one system to another. 3 Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field. The result of the traceroute command is displayed. 2 Select the Traceroute option from the Tool drop-down list. The result of the ping command is displayed. This can assist in the identification of malicious hosts. 4 Click Run. 288 . 3 Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field. A greater number of hops indicates a longer (and therefore slower) connection. Use it to prove that Advanced Firewall can communicate with hosts its local networks and external hosts on the Internet. Using Ping To use Ping 1 Navigate to the System > Diagnostics > IP tools page. The output of these commands is as it would be if the commands were run directly by the root user from the console of the Advanced Firewall system. 2 Select the Ping option from the Tool drop-down list.

Smoothwall Advanced Firewall Administrator’s Guide To use Whois: 1 Navigate to the System > Diagnostics > Whois page. 3 Click Run. Analyzing Network Traffic The Traffic analysis page displays detailed information on what traffic is currently on the network. select how long to analyze the traffic. The output of Whois is as it would be if it were run directly by the root user from the console of the Advanced Firewall system. 2 Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name field. After the time specified has elapsed. 2 From the Interface drop-down list. select the interface. as well as specific information on connections made. including pictures sent or received on web requests. 3 From the Time to run for drop-down list. 4 Click Generate. To analyze traffic: 1 Navigate to the System > Diagnostics > Traffic analysis page. the traffic a breakdown of what ports and services have been used is presented. It is possible to view a complete transcript of TCP and UDP sessions. 289 .

Advanced Firewall removes the certificate(s). 3 Click your browser’s Back button to return to Advanced Firewall. It also displays which certificates are valid and which are built-in. 2 Click Browse. 3 Click the import option. To delete certificates: 1 290 On the System > Certificates > Certificate authorities page. Advanced Firewall comes with certificates issued by well-known and trusted CAs. Click Export and save the certificate on suitable medium. You can also restore them to the list if required. Importing CA Certificates To import CA certificates: 1 Navigate to the System > Certificates > Certificate authorities page and locate the Import Certificate Authority certificate area. To review the certificates: 1 Browse to the System > Certificates > Certificate authorities page. select the certificate(s) and click Delete. navigate to the certificate and select it.Managing Your Advanced Firewall Managing CA Certificates Managing CA Certificates When Advanced Firewall’s instant messenger proxy and/or Guardian are configured to intercept SSL traffic. Deleting and Restoring Certificates You can remove built-in certificates from the list on the System > Certificates > Certificate authorities page. Advanced Firewall imports the certificate and displays it at the bottom of the list. The following sections describe how you can import new CA certificates. included in Advanced Firewall by default. . Advanced Firewall displays it. Advanced Firewall validates the certificates by checking them against the list of installed Certificate Authority (CA) certificates on the System > Certificates > Certificate authorities page.e. select the certificate. export existing CA certificates and edit the list to display a subset or all of the CA certificates available. Advanced Firewall displays the certificates available. select one of the following options: Option Description CA certificate in PEM Export the certificate in an ASCII (textual) certificate format commonly used by Microsoft operating systems. 2 From the Export format drop-down list. CA certificate in BIN 3 Export the certificate in a binary certificate format. click on its name. Exporting CA Certificates To export certificates: 1 On the System > Certificates > Certificate authorities page. i. 2 To review a specific certificate. Reviewing CA Certificates By default. certificates must be validated.

Configuring and managing a Smoothwall system entails: • Configuring a parent and the nodes in the system. for more information. For more information. A Smoothwall system is comprised of an instance of a Smoothwall product running as a parent node and one or more compatible Smoothwall products running as child nodes being managed by the parent node. see Scheduling and Applying Updates to One or More Nodes on page 299 • Rebooting nodes as required. see Disabling Nodes on page 299. for more information. for more information. Pre-requirements Before you start to set up a centrally managed Smoothwall system: • Check that all the Smoothwall machines you intend to include in the system have the latest updates applied. see Chapter 13.Chapter 14 Centrally Managing Smoothwall Systems In this chapter: • About centrally managing Smoothwall systems • Pre-requirements • Setting up a Smoothwall system • Managing nodes in a system. see Monitoring Node Status on page 297 • Applying updates. 291 . About Centrally Managing Smoothwall Systems Advanced Firewall’s central management enables you to monitor and manage nodes in a Smoothwall system. for more information. see Rebooting Nodes on page 299 • Disabling nodes as required. see Setting up a Centrally Managed Smoothwall System on page 292 • Actively monitoring the nodes in the system. Installing Updates on page 259 • Check that you have administrator access to all of the computers you want to include in the system • Check that there is IP access from the computer that will be a the parent node to the computers that will be child nodes in the system. for more information.

Configuring the Parent Node The first step when configuring a Smoothwall system is to configure the parent node in the system. . This instance of Advanced Firewall becomes the parent node and can be used to centrally manage the Smoothwall system. To configure the parent node: 1 Log in to the instance of Advanced Firewall you want to function as the parent node. 3 Configure the following settings: Setting Description Local node options Parent node – Select this option to enable central management and configure this instance of Advanced Firewall as the parent node in the Smoothwall system. installing the central management key and enabling SSH on child nodes • Adding child nodes to the system.Centrally Managing Smoothwall Systems Setting up a Centrally Managed Smoothwall System Setting up a Centrally Managed Smoothwall System Setting up a centrally managed Smoothwall system entails: • Configuring the parent node in the system • Configuring child nodes settings. 4 292 Click Save. 2 Browse to the System > Central management > Local node settings page.

Manage central management keys 3 Central management key – Click Download to download and save the central management key in a secure. When finished. On the Smoothwall system you want to add as a child node. browse to the System > Central management > Local node settings page. accessible location for distribution to the child nodes in the system. See Adding Child Nodes to the System on page 294 for more information.Smoothwall Advanced Firewall Administrator’s Guide Configuring Child Nodes Every child node in a Smoothwall system must have a central management key installed and SSH enabled. browse to and select the key. 4 On the System > Administration > Admin options page. Note: If you are reconfiguring a child node to be the child of a new parent. 5 Repeat step 3 and step 4 above on any other machines you want to use as child nodes. Manage central management keys Upload central management key – Using your browser’s controls. you are ready to add them the system. browse to the System > Central management > Local node settings page and configure the following settings: Setting Description Local node options Child node – Select this option to configure this machine as a child node in the system. reboot the child node to apply the changes. 293 . Click Save to upload the key to the child node. Click Save to save this setting. To configure a child node: 1 On the system’s parent node. select SSH and click Save. 2 Configure the following settings: Setting Description Local node options Parent node – Check that this option is selected so that you can generate a central management key for installation on child nodes.

numbers. Node names may only consist of letters.Centrally Managing Smoothwall Systems Setting up a Centrally Managed Smoothwall System Adding Child Nodes to the System When you have installed the central management key and enabled SSH on all child nodes. for more information. enter a comment describing the child node. spaces. To add child nodes manually: 1 On the parent node. you are ready to add them to the system. underscores and full stops. see Importing Nodes into the System on page 295. Manually Adding Child Nodes Adding child nodes manually entails entering the information for each node separately. see Manually Adding Child Nodes on page 294 • By importing node information from a CSV file. Unicode is not supported. 294 . Comment – Optionally. You can add nodes: • Manually by adding each node separately. IP/hostname – Enter the IP address or hostname of the child node. 2 Click Add node and configure the following settings: Setting Description Node details Node name – Enter a unique name to identify the node. browse to the System > Central management > Child nodes page.

The parent node lists the child nodes and displays their current status. you can import it directly into the parent node. see Monitoring Node Status on page 297.Comment The possible values for the fields are as follows: Field Value Name The node name. Note: Do not select this option if you want to access the child node’s logs on the child node itself. 295 . on. For information on configuring a replication profile. A node name may consist of letters. underscores and full stops. This field is required. 3 Select Enable node and click Confirm. 4 Repeat step 2 and step 3 for each node you want to add to the system. select the replication profile to be deployed on the child node. numbers. Note: If the name is the same as that of a child node already in the system. Importing Nodes into the System If child node information is available in a comma separated format (CSV) file. Central logging Determines if central logging is enabled or disabled. the parent ensures that users cannot access content for longer than allowed by using different child nodes. spaces. Allow parent to monitor status – Select to enable central monitoring for the child node.Centralresources Replicationprofile. Unicode is not supported.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Node settings Replication profile – From the drop-down list. When enabled and quotas have been used in a web filtering policy. see Chapter 13. review the node details and then click Save to add the node. Central logging – Select to enable central logging for the child node.IP/hostname. This field is required. 5 When you have added all of the nodes. The fields must be separated by commas and ordered as follows: Name. The replication profile enables the sharing of system settings between nodes. Allow parent to manage resources – Select to enable the parent node in the group to manage child node resources such as quotas which limit user access to web content. or 1.Monitorstatus. Creating an Archive on page 263. or 0. Note: Do not enable this option if you want to access the child node’s logs on the child node itself.Enabled. the child node in the system will be overwritten. Disabled – Enter: no. This field is required. Enabled – Enter: yes. When prompted. About the CSV File Each line in the CSV file must contain 8 fields. For more information. IP/hostname The IP or hostname of the node. off.Centrallogging. this option only applies to Advanced Firewall with Guardian3 installed. Note: Currently. browse to the System > Central management > Overview page.

browse to the System > Central management > Child nodes page. For more information. see About the CSV File on page 295. this option only applies to Advanced Firewall with Guardian3 installed. This field is required. Disabled – Enter: no. Editing Child Node Settings When required. on. Enabled – Enter: yes. off. The parent node imports the node information and displays it. Disabled – Enter: no. Importing Node Information The following steps explain how to import node information from a CSV file. browse to the file and select it. underscores and full stops. 296 . Enabled Determines if the node settings are enabled or disabled. For full information on what the settings do. it is possible to edit child node settings. This field is required.Centrally Managing Smoothwall Systems Setting up a Centrally Managed Smoothwall System Field Value Monitor status Determines if central monitoring is enabled or disabled. 2 Click Import CSV. off. Replication profile The name of the replication profile used on the node. Enabled – Enter: yes. locate the node you want to edit and click Edit node. For more information on CSV files. Note: Currently. spaces. or 0. Note: Importing settings from a CSV file will overwrite existing nodes with the same name. off. This field is optional. Central resources Determines if resources are managed by the parent. About Archive Profiles on page 263. This field is required. To import node information from a CSV file: 1 On the parent node. 2 Make the changes required. 3 Click Confirm. on. see Manually Adding Child Nodes on page 294. or 1. or 1. Click Import to import the contents of the file. Unicode is not supported. or 0. on. review the changes and then click Save to save and implement the changes. 3 The parent node displays the contents of the file and notifies you of any errors in the file. or 1. To edit a child node’s settings: 1 Browse to the System > Central management > Child nodes page. see Manually Adding Child Nodes on page 294 for full information on the settings. or 0. This field is optional and may be empty. 4 Click Confirm to import the information in the file. numbers. Disabled – Enter: no. see Chapter 13. It may consist of letters. Enabled – Enter: yes. Comment A comment.

To monitor node status: 1 On the parent node. locate the node you want to delete and click Delete node. click Delete to confirm the deletion. When prompted. Managing Nodes in a Smoothwall System Managing nodes in a Smoothwall system entails: • Monitoring node status • Applying updates to nodes • Scheduling updates for application at a specific time • Rebooting nodes when necessary • Disabling nodes when necessary Monitoring Node Status The central management node overview on the parent node displays a list of all of the nodes in the Smoothwall system.Smoothwall Advanced Firewall Administrator’s Guide Deleting Nodes in the System It is possible to delete nodes that are no longer required in the system. for example: Node information is contained in the following fields: Field Description Name The Name field displays the name of the node. Click on the name to log in to the node. The parent node displays current node status. 297 . browse to the System > Central management > Overview page. It also displays the nodes’ current status and whether updates for the nodes are available. To delete a node: 1 On the System > Central management > Child nodes page. 2 Repeat the step above for any other nodes you want to delete.

. 4 In the Install updates area. You can also apply updates to one ore more nodes immediately or at a later date. select when you want the updates applied to the node. 2 Click the Updates tab and then click the Status field of the node. Reviewing and Applying Available Updates to a Node You can review and apply updates to a node as they become available. Advanced Firewall displays the node details page. Click on the Status text to display detailed information on the node. To access a node details page: 1 On the parent node. 2 Locate the node you want more information on and click on its Status text. browse to the System > Central management > Overview page. see Scheduling and Applying Updates to One or More Nodes on page 299. Accessing the Node Details Page It is possible to view detailed information on a node by accessing the node details page. Click on the Updates text to display detailed information on the node. click Schedule update. Click on the node’s status field for more information. select one of the following options: 5 298 Option Description Now Select to apply the updates to the node immediately. Working with Updates You can review and apply updates to a node as they become available. For more information. Click Schedule update. The node details are displayed. The Schedule node update page is displayed. Later From the drop-down list. 3 Click on the displayed headings for more information. browse to the System > Central management > Overview page. see Accessing the Node Details Page on page 298. Click on the node’s status field for more information. Critical – the node requires immediate attention. Warning – the node does not require immediate attention but should be checked for problems. The updates are applied to the node as specified in the previous step and the node is rebooted. The following statuses are possible: OK – the node is functioning and does not require attention. 3 Click on the Updates line to review detailed information about the updates available. 5 Click Reboot node to reboot the node. For more information. 4 Click Refresh node to refresh the information displayed.Centrally Managing Smoothwall Systems Managing Nodes in a Smoothwall System Field Description Status The Status field displays the current state of the node. To apply the updates to the node. Updates The Updates field enables you to schedule the application of available updates. To review and apply updates: 1 On the parent node.

Clearing Schedule Updates It is possible to clear any scheduled updates. The Schedule node update page is displayed. In the Reboot node area. You can do this by disabling the child node locally. Click Schedule update. 3 In the Install updates area. Disabling Nodes Locally You may need to work on a child node in a system and. under Updates. select one of the following options: 4 Option Description Now Select to reboot the node immediately.g. The node is rebooted. The updates are applied to the node(s) as specified in the previous step and the node(s) are rebooted. select when you want to reboot the node. To reboot a child node: 1 On the parent node. select one of the following options: 4 Option Description Now Select to apply the update(s) to the node(s) immediately. browse to the System > Central management > Local node settings page. To apply updates: 1 On the parent node.Smoothwall Advanced Firewall Administrator’s Guide Scheduling and Applying Updates to One or More Nodes You can apply updates to one or more nodes immediately or schedule them for application later. 3 Click Reboot node. The Schedule node reboot page opens. browse to the System > Central management > Overview page. Click Clear schedule to clear the updates. To disable a node locally: 1 On the node you want to disable. 2 Locate and select the node(s) that require updates and click Schedule update. browse to the System > Central management > Overview page. e. 2 Advanced Firewall displays the updates that are currently scheduled. Later From the drop-down list. To clear scheduled updates: 1 On the System > Central management > Overview page or the node details page. 2 Locate the node you want to reboot and click on the Status text. Rebooting Nodes When required. 299 . Later From the drop-down list. you can reboot a child node from the system’s parent node. Disabling Nodes It is possible to disable nodes locally and system-wide. Click Schedule reboot. The node details are displayed. click Clear schedule. select when you want the update(s) applied to the node(s). want to stop replication settings from being applied by the parent.

on the System > Central management > Overview page.g.Centrally Managing Smoothwall Systems Managing Nodes in a Smoothwall System 2 In the Local node options area. 3 Repeat the step above for any other nodes in the system that you want to disable. nodes that have been disabled locally will be listed as Node uncontactable. browse to the System > Central management > Child nodes page. 300 . in the case of hardware failure. select Disable and click Save. Note: On the parent node. e. 3 Repeat the steps above for any other nodes in the system that you want to disable system-wide. select Disable and click Save. 2 Locate the node you want to disable area. You can do this by disabling the child node system-wide. Disabling Nodes System-wide You may need to disable a child node in a system. To disable a node system-wide: 1 On the parent node.

Network users must provide their identity credentials when using an authentication-enabled service for the first time. access to authentication-enabled services. A user that is authenticated can be described as being logged in. it only ever asks the authentication system whether there is a known user at a particular IP 301 . usernames and passwords. The Core Authentication Mechanism This is a special type of authentication mechanism that uses the first interaction method exclusively. The means by which these two types of interactions are combined and implemented defines a particular named authentication mechanism. About Authentication Mechanisms All authentication-enabled services use the authentication system to discover what users are accessing them. i. for onward authentication. a matching username and password cannot be found in the local user database. Verifying User Identity Credentials In order to authenticate users.e. Unauthenticated users are usually granted limited. or sometimes no.Appendix A Authentication In this appendix: • Authentication methods • WPA enterprise and Windows 8.e. Authentication-enabled services can interact with the authentication system in the following ways: • Passive interrogation of whether there is an already-authenticated user at a particular IP address. • Identity verification – authenticate users by checking supplied identity credentials. e. Credentials are verified against the authentication system's local user database. i. an authentication-enabled service can enforce customized permissions and restrictions. Advanced Firewall must be able to verify the identity credentials.g. the user's identity status will be set to 'Unauthenticated'. and if so their details • Active provision of user-supplied identity credentials. Overview Advanced Firewall's authentication system enables the identity of internal network users to be verified. • Identity confirmation – provide details of known authenticated users at a particular IP address. usernames and passwords. Once a particular user is known. If the credentials cannot be verified by the authentication system. supplied by network users. against known user profile information. such that service permissions and restrictions can be dynamically applied according to a user's group membership.

The login time-out affects the load on the local system. if Advanced Firewall sees no activity from a particular user for the length of time specified by the time-out period. the user's status is returned by the authentication system as 'Unauthenticated'. if the original user fails to pro-actively log-out. In this way. However. as all DNS servers will have access to the same 302 . If the user has been authenticated. Time-out does not occur if Advanced Firewall can determine that the same user is still active – for example. Advanced Firewall and DNS Advanced Firewall’s authentication service uses internal DNS servers for name lookups. in turn. the user's authenticated status will be invalidated. longer time-outs increase the risk of a new user at the same IP address being granted inappropriate rights. it follows that such authentication mechanisms must also provide an appropriate means of collecting end-user identity credentials. About the Login Time-out The login time-out is the length of time that a user's authenticated status will last once they are authenticated. Thus. for onward authentication. If the user has not been authenticated by any other authentication mechanism. Some authentication-enabled services offer no choice of mechanism used – in such cases. the requesting service pro-actively provides end-user identity credentials to the authentication system. This means the client assumes that it does not matter which DNS server it uses. all authentication-enabled services must use some kind of authentication mechanism to interact with the authentication system.e. DNS is a system that was designed to be able to respond to any request by redirecting questions to the DNS servers responsible for the various registered domains on the public Internet. Such mechanisms usually interrogate the authentication system to determine if the user at the requesting IP has already been authenticated. resulting in failed login attempts. Advanced Firewall’s DNS proxy server uses external DNS servers for name lookups. However. Other Authentication Mechanisms All other authentication mechanisms use a combination of the previously discussed interactions. However. A value of 10 minutes is effective for most networks.Advanced Firewall and DNS address. Advanced Firewall can be configured to use an internal DNS server and the internal DNS server can. Time-out values that are too low may adversely affect system performance. by seeing continued web browsing from the same user. the authentication mechanism will always be 'Core authentication'. Internal DNS servers are specified using Advanced Firewall’s setup program. External DNS servers are specified when setting up an Advanced Firewall connectivity profile. This is not the correct way to configure DNS servers on any client. appropriate permissions and restrictions can be enforced by the requesting service. if the user is currently unauthenticated. Lower time-out values increase the frequency of re-authentication requests. Choosing an Authentication Mechanism As discussed in the preceding sections. A Common DNS Pitfall Often Advanced Firewall is configured so that an internal DNS server is configured as the primary DNS server and an external DNS server configured as the secondary DNS server. be configured to use Advanced Firewall as its DNS forwarder. the second type of interaction occurs – i.

When a Windows 2000+ domain has been migrated from a legacy Windows NT4 domain. the Windows NT 4 style usernames are not automatically duplicated to Windows 2000+ usernames. In the groups search root.dc=local The above example is for a multi domain Active Directory installation. the client will NOT ask other DNS servers • If the DNS is not answering. the second OU is entered: User search root: dc=domain. it is clear that a DNS configuration that has an internal DNS and an external DNS server in the configuration will not work. where the second OU is in the sub-domain sub1. The administrator of the Active Directory domain has 2 OUs. a search through the entire directory can take a long time and make the Advanced Firewall Include groups page unwieldy to manage. this no longer is the case.local • An old style Windows NT 4 username. like Advanced Firewall’s DNS proxy server. Setting the group search root to the top level of the directory would result in an Include groups page with 2500 entries. or at least. The easiest way to do this is to configure the DNS server to use a forwarder. a specified group search root can help in narrowing the scope of where to search for groups.dc=sub1.dc=local Additional group search root: ou=networkgroups. When dealing with large directories.Smoothwall Advanced Firewall Administrator’s Guide information. where the groups to be mapped are located. Consider. one group search root may not be enough. A DNS client will behave in the following way when looking up a host: • If a reply of “host not found” is received. the client will try to ask another DNS server • The client will ask randomly between configured DNS servers Taking the above conditions into account.dc=local Group search root: ou=guardiangroups. for example. Active Directory The following sections usernames and group membership which must be configured correctly in order to successfully implement Active Directory-based authentication. Normally. The internal DNS server that holds the Active Directory information needs to be configured so it can resolve external hostnames. will not work reliably. 303 . This would probably take a long time to load and be hard to get an overview of. which has no domain attached to it. which takes the form of user@domain. Remember that multiple groups can be mapped to the same Advanced Firewall permissions group. With the proliferation of private networks and internal DNS zones. Working with Large Directories The Additional Group search roots option enables you to specify several OUs in which to search for groups.dc=domain. but if groups are distributed in multiple OUs.ou=users.dc=domain. Active Directory Username Types A user account on a Windows 2000+ server will have 2 types of usernames: • A Windows 2000+ username. the administrator enters the path for the primary OU and in the additional groups search. a directory with 5000 users and 2500 groups.

try the fully qualified domain name (FQDN) if the short form does not work • Check if the user logged on before the keytab was created? Try logging off then on again.About Kerberos In order for Advanced Firewall authentication to be able to successfully look up and authenticate Windows users. see Kerberos Pre-requisites and Limitations on page 304 • Try another browser for fault-finding • In Safari. • Double check you are logged on with a domain account • When exporting your own keytabs: • Make sure the keytab contains keys with the same type of cryptography as that used by the client • The “HTTP” in the service principal name (SPN) must be in uppercase • The keytab should contain SPNs containing the short and fully qualified forms of each hostname. Kerberos Pre-requisites and Limitations The following are pre-requisites and known limitations when using Kerberos as an authentication method: • Forward and reverse DNS must be working • All clocks must be in sync. More than 5 minutes clock drift will cause authentication to fail • Internet E6 will not work in non-transparent mode. About Kerberos The following sections document Kerberos pre-requisites and list some points to try if troubleshooting. the server lookup user account needs to be a member of the Pre-Windows 2000 Compatible Access group. • Check if the user logged on before Advanced Firewall joined the domain? Try logging off then on again. Accounts and NTLM Identification When using NTLM identification on an Active Directory server that has been set up with no preWindows 2000 access permissions. a Windows 2000+ username needs to be present. Troubleshooting Check the following when troubleshooting a service that uses Kerberos: • Make sure all the prerequisites have been met. 304 . This group is normally found in the built-in OU in the Active Directory Users and Groups snap-in.

2 Ensure Microsoft: Protected EAP (PEAP) is selected in the drop-down list. 5 Ensure the imported root CA is selected in the list under Trusted Root Certification Authorities. then click Settings.1X wireless network without certificate validation. it is not possible to connect a Windows 7 system to a WPA-Enterprise/802. Create a wireless network profile: It is not possible to join the wireless network from the notification area icon as Windows defaults to incorrect settings for the network. 8 Select Start this connection automatically to connect as the network becomes available. The following describes a process of setting up an 802. A profile must be created manually.. 10 Click on Advanced settings. e. 9 Click OK. Import the CA certificate on the device: 1 Double-click on the Certificate file. 3 Ensure Validate server certificate is selected. select Manually connect to a wireless network.1X/EAP wireless networks are connected. 7 Leave Security Key blank. 2 Windows will present the certificate details for inspection. click Configure and deselect Automatically use my Windows logon name and password. Click the Install Certificate. 7 Ensure Secured password (EAP-MSCHAPv2) is selected under Select Authentication Method. 11 Ensure Specify authentication mode is selected. 8 If your wireless network credentials do not match your Windows log on credentials. 5 Select WPA2-Enterprise as the security type. 305 . USB flash drive or CDR media. download the certificate file. Without the use of registry hacks. button. 4 Ensure Connect to these servers is not selected. and click OK. and select Trusted Root Certificate Authorities. 3 In the window that appears. 2 Copy the certificate file onto a suitable medium for transfer to the device. 6 Deselect Do not prompt user to authorize new servers or trusted certification authorities.1X authenticated wireless network under Windows 7 without the use of registry hacks. 1 Access Network and Sharing Center via Control Panel.. 6 Select AES as the encryption type. click Browse. 10 Click Change Connecting Settings. and change the drop-down option to User authentication.1X Wireless Network Microsoft’s Windows 7 operating system is very strict on how 802. 4 Enter the network name (SSID) into the Network Name box.g. 2 Click Set up a new connection or network. 3 When asked where to install the certificate. Prepare the CA certificate: 1 On the Advanced Firewall WPA Enterprise.Smoothwall Advanced Firewall Administrator’s Guide Connecting a Windows 7 System to a WPAEnterprise/802. Modify security settings of network profile: 1 Select the Security tab. 9 Click Next.

log in to the command prompt and export the wireless profile. select the wireless network required and click Connect. 3 When prompted. 13 Click OK. Windows 7 802.1X on the first machine.xml” Login with your user credentials. Connect to the wireless network 1 Click on the wireless network icon in the notification area.1X Profile Migration 1 After following the above instructions on how to setup 802. enter your username and password. navigate to the location of the xml file and enter: 5 netsh wlan add profile filename=”wirelessprofilename. using: netsh wlan export profile name=”SSID” This exports the details to an xml file.Connecting a Windows 7 System to a WPA-Enterprise/802. If you did not deselect Automatically use my Windows logon name and password you will not be prompted. 2 From the wireless network list. 2 Copy this xml file and the root certificate presented by Advanced Firewall to the target machine. 306 . 3 Install the certificate to the Trusted Root Certificate Authorities.1X Wireless Network 12 Click OK. 4 Open up the command prompt. You should now be connected to the wireless network.

It has shape. A report section can be considered to be similar to a building block from a construction kit or a piece from a jigsaw puzzle. color and provides some information however its power is better expressed when used in combination with other blocks to build more complicated and more interesting shapes. These can be connected to each other where the input and output types are equivalent in the way that jigsaw pieces can be connected if their input and output facets match.Appendix B Understanding Templates and Reports In this chapter: • How to use custom reporting Programmable Drill-Down Looping Engine The Advanced Firewall reporting system is divided into two conceptually different ideas. The act of building it takes the template and finds each of the individual blocks. To this extent a section has a variety of inputs and a number of outputs. those of templates and reports. A template is as described above nothing more than a structured series of sections. A template is a series of report sections and their configuration which contains instructions for extracting and manipulating data from Advanced Firewall and producing a report by filling in the template’s sections. it shows how to assemble the blocks together to produce the report which is analogous to the finished model. 307 . retrieving data as appropriate and assembling it as the template dictates. A template in that metaphor is analogous to the instruction sheet for the building blocks.

The difference between the two is perhaps moot for the most part. For the bulk of users. When editing a report template. remove and manipulate the sections which it contains. The description field is actually unlimited in length and reasonably permissive in the characters it may contain. In the building block metaphor a report template is the instructions alone. however the key difference is that a report is a combination of several things. Note again that the Edit report option on the Report display page (seen while viewing a rendered report) is analogous to the edit a copy of this report option seen from the reports page. for this purpose the edit a copy of this report option should be used. Creation and Editing Creating report templates is done via the Advanced Firewall custom page. the report template used to create it and the data which was extracted and interpreted along with its interpretation. Exporting and Drill Down Reporting The term reports has been made deliberately ambiguous and is now used to describe both a report and what was formerly known as a template. with the terms report and report template are used in this appendix where the distinction between the two is deemed important. or a copy of a report template the preview button may be used without making changes to the existing template. the description and icon options are equally obvious as to their use. Once a report template has been created it may be edited (including changing its name) via the edit this report link under the report icon on the reports page. which gives rise to the ability to add. what it has been doing historically and where their users may have been attempting things with nefarious end. The name is clearly the name of the report template as it appears in the reports section. The description of how to do this is covered elsewhere however there are a few details which allow for some level of flexibility. Each report template can be assigned an icon. It has the instructions and the pieces but is still not quite ready for a user to play with. Viewing Reports. Long descriptions will be truncated in the interface for brevity however the full version of the description will appear under the report template’s advanced options. Advanced Firewall is the warehouse full of bins of pieces and a report is the final boxed model ready for building. the distinction between what is a report and what is a report template is unimportant. each will eventually show them a set of details about what their system is doing.Programmable Drill-Down Looping Engine Example Report Template Example Report Report Templates. This will take a copy of all the report’s options and sections while leaving the original report template unchanged. 308 . While editing a report template is a useful feature. Changes will only be saved to the desired report template when the create report option is used. there are occasions when it would be better to simply alter or manipulate an exact copy of a report template. name and description.

Note this would require the regeneration of the report data afterwards. executing it. i. it is the instruction sheet for building the model. Viewing a report is the final step in this process and renders the report data (assembles the model) according to one of the output methods. basically the construction of a rendered report requires the following steps to be undertaken.e. Changing Report Date Ranges From the reports page. i. Thus any saved reports can be exported exactly as is without the need to regenerate them. again using the building-block metaphor. 1 Retrieve assembly instructions.e. A report template provides the first stage of this process.e. clicking on a report template link or a report itself from either the reports or recent and saved pages will complete the missing steps and show the requesting user the final model. generating a report will conduct steps 2 and 3. 2 Collect necessary parts from warehouse. PDF. but do deserve some explanation. while HTML output is the most commonly used there are additional formats which might allow for further analysis or interpretation of data. The Reports page lists the report templates or instruction sheets. 3 Place all the required pieces into a box along with its instructions. Changing Report Formats The reporting system provides multiple output formats. the answer to which is reasonably simple. and while viewing a rendered report it is possible to change the date range over which the report data is accrued. 4 Assemble the model and present to the awaiting small child. i.Smoothwall Advanced Firewall Administrator’s Guide This should leave the question so when does the model actually get built. changing the rendering method does not regenerate the report. CSV or other formats. only the way it is presented. These stages are always transparent to the user. Excel. The Recent and saved page shows the list of boxed models ready for assembly. 309 . this renders the report out into HTML. making the export process relatively quick in comparison to the generation process. The formats available are: • Adobe PDF Format • Adobe PDF Format (suitable for black and white printers) • Microsoft Excel format • Comma Separated Value (csv format) • Tab Separated Value (tsv format) Due to the nature of a report and the rendering options.

For example IP addresses can contain whois information which would allow for greater understanding of the IP address and why it might have appeared. Features such as feed-forward and iterative reporting are reflected as titles within the report and consequently as a level of indentation in the table of contents. From viewing a report the date controls appear at the top right of the page next to the table of contents view. Interpreted Results Some results. Note again. URLs too can contain more information than is immediately apparent from viewing the URL. To activate the Advanced Firewall’s advanced interpreter simply hover the mouse over the desired result. such as URLs or IP addresses can present additional information which might not be apparent from the result itself. clicking on either the report template name. this will produce a tool-tip which contains more information about the result. This table is accessed by clicking on the contents button in the top left hand corner of the report when it is being viewed. At the bottom right hand of each section is a link to the top of the page (labeled top) this can (obviously) be used to skip back to the top of the page where both the table of contents and rendering format options are presented. The table of contents is automatically generated and is based upon the sections contained within the report itself. which may be saved accordingly. the preview button here will regenerate a new report according to those date ranges. 310 . its icon or one of the output formats shown in the bottom right will use the date range specified at the top of the page. Navigating HTML Reports The HTML rendered version of a report contains a table of contents for quick and easy navigation within the report. that both these actions will generate a new report.Programmable Drill-Down Looping Engine From the report page.

Saving a report will stop it being subject to the 48 hour rolling deletion which tidies the reports list each day.Smoothwall Advanced Firewall Administrator’s Guide For example: In this example. the user has used the advanced interpreter to show the result for a YouTube video. When viewing the recent and saved page. It is also important to note that a saved report is format-less and as such can be rendered to HTML. pdf. domain and path) and hovering the mouse over the line in the results produces a tool-tip which not only shows the full URL. This is achieved in numerous ways depending upon location. Saved reports are listed on the Recent and saved page under the reporting section. This report template is a copy of the actual report template used to generate the report and may be edited as desired without altering the version stored within the report itself. The URL in question has been truncated to show only the immediately relevant information (the protocol. and can therefore be used to produce a new report with refined options. alternative date ranges or saved to appear on the reports page. 311 . The advanced interpreter is capable of recognizing many different types of URL and will present them in an appropriate manner. Note again that this is a copy of the report template and so may be manipulated as desired. description and thumbnail from the YouTube server. deleted and reused (by means of viewing the template used to generate them) in the same manner as a recent report. csv etc as desired. This option will present the Custom page with the report template used to generate this report already loaded. and can be viewed. underneath the report’s icon is a link to Edit report. any associated parameters but has also retrieved the video title. While viewing a report there is an edit report button presented underneath the table of contents which leads to the Custom page with the report template used to generate the viewed report already loaded. Saving Reports Reports can be saved for viewing later if this is desired. Changing the Report Once a report has been generated the report template used to create it is stored alongside the report data itself.

When a result has more than one related report associated with it then clicking on the result will produce a menu of the available related reports. however this is a manual process which allows for a particular result to be investigated further. when a particular result has only one related report available clicking on the result itself will lead to the related report for that result. suggested drill down reports might allow for a report on the actual sites visited by an individual user. This is in a way analogous to the feedforward reporting which will be discussed later.Programmable Drill-Down Looping Engine Investigating Further (Drill down) Each report section when it is generated can present a series of related or drill down reports. This list would present a series of usernames. 312 . clicking on the relevant option will result in generating the relevant related report. To better illustrate this behavior. imagine a report taken from Guardian which lists the top users who have requested internet sites via the Guardian content filter. these are pre-determined report templates which will allow further investigation relevant to the item in the section in question. and the section which is being used. Note the list of related reports is determined by the report section and cannot be altered. the full web activity for that user and so on. Drill down reports will be stored notionally underneath the report in the recent and saved section. Related reports are presented in a variety of ways depending upon the number of options available.

once created they can be included into new report templates without having to redefine them. Note multiple sections can be added at once. On the right of the available sections list is the included sections list. Creating templates is a matter of choosing. The available sections list is structured as a simple tree. and that sections can appear more than once in a template report. Ordering Sections Save the caveats detailed under grouping sections. grouping and refining a number of sections into the correct set of instructions for the Advanced Firewall’s reporting engine to interpret and use to extract and manipulate data from the Advanced Firewall’s logs. the templates folder at the bottom of this list includes any existing report templates for inclusion as mentioned above. sections can be included anywhere in a report and ordered to make logical sense to the reader. Note that sections cannot be moved outside of their containing folders. This list deliberately mirrors its counterpart and denotes both the list of included sections and any groups that have been configured.Smoothwall Advanced Firewall Administrator’s Guide Creating Template Reports and Customizing Sections Report templates and customized sections are managed and manipulated from the Custom page on your Advanced Firewall’s interface. Groups are shown as folders in the included sections list. Subsequent modifications to the template will not update any other templates that include it. To add and remove sections from the included sections list sections can be highlighted by clicking on them and the add or remove controls used accordingly. A list of available sections is included on the Custom page under the heading Available sections. with the sections belonging to each module categorized accordingly. and sections are copied into the template at the time of its inclusion. It should be noted that when a template report is included within another template report its options. which shows a simplified form of the sections currently included in the template report being edited. existing template reports are also included in this list so that. To reorder a section simply select it from the Included sections list and press either move up or move down depending upon which direction you wish to move it. 313 .

a Browsing times section could be configured to show the times of day that a particular user tends to browse the internet. A section group is a logical construct which allows for logically connected sections to be collated together. and where the value comes from. This indicator shows which options are grouped together and allows for them to be quickly collated together. which may of course be standard groups. This may be any number of common user interface 314 . When options are grouped together they will be presented as an option in the group under a section called grouped options. this is used for controlling iterative and feedforward reporting and will be discussed in the appropriate sections. a section which produces results of a suitable type can be nominated and other sections in the group will iterate over the results from that section. The list of sections contained within the group is listed below the grouped options each in its own collapsible section. this name provides a group to be given a title which will help with understanding the template structure. these sections could be grouped together and share the username option. For feed-forward groups. with a visual indicator allowing them to be related to their grouped counterparts. They may also contain single sections. An option with an override will use the value given to that option rather than the option it receives from its grouped parent. meaning that the value will be assigned by the parent group. the results of a feed-forward section or from one of the list provided in an iterating group. They may also have a small visual indicator shown next to them in both the grouped options section as well as the regular options panel for each section. By containing groups within groups complicated reporting structures can be developed which allows reports to automatically drill down and produce fine grained detail from a high level overview. Grouping two sections together will produce a number of consequences and will allow for advanced options such as iteration and feed-forwarding to be used. This may be grouped. which are simply special cases of section groups. Groups can contain other groups. logically similar sections to share options.Programmable Drill-Down Looping Engine Grouped Sections Many of the underlying concepts in Advanced Firewall’s reporting system are based around the notion of grouped sections. fed-forward or iterated over will be displayed using a format which is appropriate to the type of value expected. Groups also form the basis of both iterative reports and feed-forward reports. Grouped options will be included for each section here alongside regular per-section options. For iterative groups. but require the same value. the variable to iterate over can be chosen from the options common to the grouped sections. and does not bear any influence on the report creation. Each option may be overridden by means of ticking the corresponding checkbox. For example a Domain activity section could be configured to show the top 20 domains visited by a particular user. for example if two options are given slightly different names. thus a group containing two sections both of which possess a limit field (the number of items to show) can have different limits applied to them. Understanding Groups and Grouped Options The first details shown in a group are a text entry field allowing for the group name to be changed. Options which are not grouped. iterative or feed-forward groups. allowing for it to be entered only once when the report is generated. feed-forward or repeating. The second option is a drop down list of repeat options. Primarily grouping options is done to allow multiple. Both of these sections have a username field. Next to the override option is a small description denoting why the option is inherently disabled. the Guardian web content filter module provides a number of reports which can show aspects of web browsing activity as conducted by a particular user. For example.

rather than the complete picture. However. text entry fields etc) and may provide auto-complete features to assist in finding an appropriate value. There are exceptions to this rule however. and therefore it is removed from the normal section ordering and placed above the grouped options list in the group’s display. or those which are configured for internal or external networking. Groups utilizing feed-forward will require one of their sections to be promoted (denoted as the feeder) to a state where it will provide the answers for which the other sections within that group are to be repeated. This information provides limited details for the network interface such as its IP address and other details. These in turn can be used to show a list of all network interfaces which are configured on Advanced Firewall. In this case it would be possible to select the local network interfaces that are desired and repeat the section once for each of the desired interfaces. username or IP address for example. 315 . however it does not show monthly usage statistics. where the list of values to be iterated over is produced as the list of answers from a particular report section. These sections can be chained together using a mechanism known as feed-forward where the results from one section are used to define the behavior of another. To lead by example. feed-forward would produce a list of all internal interfaces. as well as include the Network Interfaces report. Iterative Reporting Some report sections only deal with a limited set of data. Note that while it was covered first. a single group. take the Network Interfaces and Individual Network Interfaces sections. Note that there is potential overlap here. Naturally a feeder must be included before the sections it is feeding. select boxes. In this example the Network Interfaces report can produce one or more Interfaces. when provided will replace values as would be expected. For this reason it may be desired to repeat a section using mostly the same options. but with one particular option changed each time. which is one of the options for the Individual Network Interfaces section. The Individual Network Interfaces section can provide this information. By chaining these two report sections together it is possible to produce a report template which will detail the configured external interface for Advanced Firewall. To allow for this the reporting template system in Advanced Firewall allows for a section’s results to be used as the source of options for subsequent sections. this notionally changes nothing other than the order in which they are included in the final report once data has been acquired. Group Ordering Sections within a group can be re-ordered. For example it may be desired to see the Individual Network Interface section for several (but notably not all) of the local network interfaces. Any overridden options will also be displayed and entered in this manner and. feed-forward is actually a special case of iteration.Smoothwall Advanced Firewall Administrator’s Guide elements (checkboxes. but needs to be supplied with the name of the interface for which to provide details for. and if the desired result is a list of all the local interfaces then feedforwarding could be used instead. Feed-Forward Reporting Due to the jigsaw or building block like nature of reporting sections a particular report section may only provide part of the information which is desired. and then display the advanced usage and bandwidth statistics from it.

Creating a feed-forward enabled group is done in a similar manner. the top 50 users within each of those groups and the top 100 banned URLs each of those users attempted to request is entirely possible. along with the potential work load that this would require on Advanced Firewall. this will form the basis of the feed-forward. Ungrouping a group will disband that group. iterative or grouped options. When iterating over a grouped option. that option is no longer available in the group. This is due to the nature of feedforwarding reports. However. that they must produce the list of results to iterate over prior to iterating over them. For example. however generally results such as username should be taken to be suitable for feeding a username field. the Network ARP Table section produces a list of interfaces which the connection is on. although a group can contain any number of items including other groups. The result is labelled as Connected Interface and is of a type suitable for forwarding into the Individual Network Interface section. Some care should be taken when choosing sections to flow into each other. The results returned by each section are visible under the results tab on the section in question. Creating Feed-forward and Iterative Groups Creating a group construct for use with feed-forward or iterative operations is done in the same way as creating a normal group. By choosing a section to feed-forward the results from. the desired sections should be grouped and the option which will form the basis of the iteration selected from the Repeat drop-down which can be found immediately above the grouped options section for that group. ungrouping sections will remove any properties that the group contains. To create an iterative group. this section is removed from the normal flow within the group and is instead included as a feeder section.Programmable Drill-Down Looping Engine Grouping Sections To group a number of sections together they should be selected from the included sections list and then grouped using the group button. Note. the group folder will then be removed. however the variables are named in a way which makes them human readable. Additional caution should be taken when considering feed-forward reports as to the volume of data produced. however this time under the Repeat drop down a list of sections is included under the title using results from a section. moving all its contained sections to the same level on the included sections tree that the group previously occupied. this would result in the following execution tree. but not always identically for the sake of clarity. and so may affect any feed-forward. Group Activity Section 20 x User Activity Section 50 x URL Activity Section 316 . as well as the bottom right hand side of the section’s description in the available sections list. For example. Options which may be used in this way are included under a heading (in the drop down menu) of based upon grouped option and the list will contain most of the options that the grouped options section contains. Similarly the ungroup command should be used to either disband a group or to remove a single item from an existing group. Note that only sections at the same level in the included sections tree can be grouped together. It should be noted that when feed-forward is desired the section producing results should be included in the group when it is first created. a report which shows the top 20 groups within an organization. Ungrouping a single section will move that section up the tree to the same depth as is occupied by the group that it has just been removed from. Feed-forward results pass from one variable into another.

choosing to export the username field prior to creating the report template would mean that the username field is present for this template report on the reports tab on the Advanced Firewall main interface (Logs and reports > Reports > Reports). however it would also have the added effect of allowing a user to turn this option off when using the template. For example a domain activity section can take a username value to show the domains requested for a particular user which were subsequently banned. This behavior may be defined at a later stage to make the report template truly flexible. or potentially the results for a thousand users. 20x50x100 URLs. It is for this purpose that section options may be exported.Smoothwall Advanced Firewall Administrator’s Guide 100 URLs Hence. assuming a reasonable time period for the calculation of each. Exporting Options Each report section provides a list of options which define its behavior. In this particular example a domain activity section could be included in a report template. Creating a template for this information for each user within an organization is time consuming and unwieldy to say the least. which can be changed by the person using the report template. and hundred thousand URLs. 317 . Swapping to the export tab would show a list of all the available options for this report. and have its Denied status checkbox enabled. such a report would potentially take several hours to compile and be bewilderingly detailed for any person who chooses to read it. It would also require the execution and calculation of the top URLs section up to a thousand times. similarly typing a username into the section’s username option (on the options tab) allows the template report to create a default username. Choosing the Denied option on the export tab would again make this setting available outside of the report template (on the reports page).

Report templates are structured into one of the following folders on a standard Advanced Firewall installation. Email Firewall and networking System Trends Users IP address analysis IP address analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Top IP addresses Top users User analysis User analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Web content Per category Blogs Blogger Blogs WordPress Category analysis Image and video sharing Dailymotion Flickr Fotolog ImageShack ImageVenue YouTube 318 .Reporting Folders Reporting Folders Report templates can be arranged into a common hierarchy to allow for like purposed report templates to be kept together and alleviate some of the confusion in finding the desired template.

Smoothwall Advanced Firewall Administrator’s Guide News BBC News CNet CNN News Slashdot Reference and educational IMDB Shopping and online auctions Amazon Wikipedia Craiglists Ebay Shopping and online auctions Social bookmarking Delicious Digg Reddit Stumbleupon Social networking Bebo Facebook Friendster Hi5 Linkedin Myspace Orkut Social networking Twitter Sport BBC Sport ESPN Sport Web portals and search engines AOL Google Search engines Windows Live and MSN Yahoo Site analysis Top categories Top domains Top URLs Top web searches The destination folder for a report template can be set when creating the report template itself by means of the Location option. 319 . This option contains an indented drop-down list of available folders. report templates can be placed in any folder as desired.

Options exported to the Reports page may also be set on a report by report basis so it is possible to schedule a particular user (the sales manager for example) the web activity for the sales group using a web activity report template and another user (the support manager) the web activity report for the support group by means of the same report template. which is the main location to use to find report templates and report folders. A new folder should be named using letters. A location bar is also present along the top of the Reports page which allows users to navigate the folder structure. Folder navigation is achieved by clicking on the folder name. Only empty folders can be deleted. Reports generated in this way may be saved for use later via the recent and saved reports section and/or emailed to a list of people as an HTML embedded email or plaintext email. this limitation is in place because folder and report template deletion cannot be undone therefore such potentially dangerous actions are deliberately long winded. Scheduling Reports It is possible to schedule a report template to be executed at a particular time of day and repeated at desired intervals. Creating a Folder To create a folder simply navigate to the appropriate location in the hierarchy and click on the create folder button next to the location bar. so care should be taken to ensure that all report templates and other folders have been removed before deleting a folder. It also provides the ability to rename folders and edit and remove report templates. Entering the name that is desired into the text box that is present and clicking rename will change the name of the report folder. the intervals available are: • Daily – each day at the time allocated • Weekday – each working day (Monday to Friday) at the allocated time • Weekly – every week at the allocated time on the same day of the week as the first report. numbers and a limited set of punctuation symbols. Repetition can also be disabled if it is not desirable to receive a report at regular intervals. 320 . Scheduled reports are deliberately flexible and present a full list of all report templates to be scheduled. this will create a new folder called new folder with the ability to rename it.Scheduling Reports Folders can be created or deleted from the reports page. Note that report folder names must be unique at the same level. Note. • Monthly – every month at the allocated time on the same day of the month as the first report. Scheduled repeats allow for the automated generation of reports at specific intervals. Renaming Folders Deleting Folders Folders can be deleted from the Reports page by pressing the red cross icon immediately below the folder image. Clicking on a folder higher up in the hierarchy provides a list of alternative folders on the same level of the tree this provides a faster means to navigate the list of available folders.

Reporting Sections Generators and Linkers Reporting sections can be divided into principally two types. While all report sections generate results. and display those results in the final rendered report. generators and linkers. Automatic access allows this report to be made automatically available to other users who share the author’s portal. This is achieved via a report. regardless of which portal that user was in. or report template’s portal permissions. Normal report permissions allow a user via the portal access to either a particular report. The Automatic access permission of portal is a special permission which allows a generated report to be assigned to all members of the portal belonging to the person who generated the report. or a particular report template. Portal Permissions Reports can be made available to individuals who do not have access to the Advanced Firewall administrative interface via the Advanced Firewall user portal. or to one or more other portals as desired. There are two variations to portal permissions which dictate exactly how a report might be used. When it is generated via the portal this report will by default only be available to the user who created it.Smoothwall Advanced Firewall Administrator’s Guide Scheduled reports can also be made available to particular portals using the report template’s portal permissions. Automatic access allows a user’s reporting activity to be made available to other users via the portal. 321 . To clarify this. some sections generate results which are intended for use in feed-forward reports and are only really useful in that context. Access in this context means that they are able to generate and view the report data. Since portal permissions can be configured to behave differently depending upon the portal the generating user is assigned to it is possible to assign a specific portal for the scheduled report to be generated by. a report template will generate a report when it is used.

Standard sections will show up in the available sections list in a manner similar to the following. It will also show the timestamps that these hits occurred at. This information is perhaps informative. the IM module provides tracking of Instant Message conversations. For example. reports which might not be able to associate activity with a particular username. but not particularly. VLANs and VPN interfaces. configuration and recent network activity for each interface. title and any results that are returned for use in the system’s feed-forward ability. there are however several big reports which defy such description and require a more in depth discussion. Network Interfaces A list of the configured internal and external network interfaces on the system. 322 . This shows the section’s description.Reporting Sections For example. However the results. Client IP address and Time-Period are both filters which can be applied to other reports. Includes details about the hardware. however users are unlikely to (not to mention forbidden from) using their work usernames as their local usernames for such conversations. This section will take a Guardian username (be it derived from Active Directory or other such authentication mechanism) and show the IP addresses that are associated with this user in the Guardian web proxy access logs. External NIC interfaces. By this mechanism it is possible to deduce the IP address a user has been seen to use. the Guardian module provides a report section entitled Per user Client IP addresses. including any internal NIC interfaces. The IM module however does record the IP address used in these conversations. modems. to an IP address. General Sections The bulk of Advanced Firewall’s reporting sections are reasonable easy to describe and are detailed quite well by their descriptions. and the time period during which they were using it. This report section lists the interfaces available on Advanced Firewall. these will be covered later. so using a linker section such as the one described above would be able to feed from a username. to an IM conversation.

domain and parameters. For example. A URL fragment starting with characters and ending with the string :// will be interpreted as a protocol. However it also receives some of its content from cdn. 323 . a URL entered into the Advanced Firewall reporting system will be automatically highlighted in color to denote where the appropriate parts of the URL are being extracted from. External and VPN interfaces as well as the ability to show or hide any disconnected interfaces. the protocol. To use a partial URL the URL entered should be of an appropriate format depending upon the combination of parameters which is desired.stumble-upon.com and stumbleupon. Deciphering a URL can however be a none trivial task. This section returns an interface which may be passed into a report section such as the Individual network interface report section. sub-domains and a variety of techniques which can only have been considered a good idea at the time. For this reason it is possible to switch the URL recognition options in the Advanced Firewall reporting system into dealing with URLs as regular expression matches rather than strict matching.com. Separation is effectively done from the right hand side backwards.Smoothwall Advanced Firewall Administrator’s Guide The options available to this interface allow you to discriminate between Internal.stumble-upon. especially due to some web sites. StumbleUpon a Social bookmarking site exists not only at the domain www. protocol and domain. As can be seen. URLs entered in this fashion can be complete (as in the above example) or can alternatively be partial including a combination of protocol. The Anatomy of a URL URL processing in the Advanced Firewall reporting system is achieved via a series of mechanisms which automatically split a URL into a number of internal parameters which are used to speed up data processing and achieve the desired results efficiently and with minimal need to understand the dynamics of how an individual web site is constructed. However some explanation is required as several of the more advanced features of the Guardian reports require some manipulation of the URL. domain and parameters or the parameters themselves. curious URLs. companies and organizations using a variety of load balancing techniques.com a common enough concept with regards to the absence of www. A URL which starts with a character other than / and does not end with :// is viewed as being the domain.stumbleupon.com but also stumbleupon. so any URL starting with / would be viewed as simply the parameters. A Advanced Firewall reporting URL is extracted into three distinct components.

324 . it may be that it is whitelisted. but did not quite cause the site to be blocked. other than the protocol there is nothing to distinguish HTTP and HTTPS methodology. indeed. searching for options other than CONNECT will provide results which may have been subjected to HTTPS interception. Denied (or blocked). Denied – This denotes sites which were blocked by the phrase or URL filtering in the Guardian product. To differentiate between the two it is possible to set the HTTP request method (optionally along with the protocol from the domain) to catch HTTPS content which has been intercepted and that which has not. soft-blocked. domain and parameter parts of a URL and for speed / processing reasons it is advised that they be turned on for the minimum of the parts which are possible. This shows content which contained a number of phrases which elevated its score. if the connection is not being intercepted this is the only part of the communication which is logged. Infected or Modified. Exception. Hence. the resulting action of that filtering is logged and can be used to filter any results within the Guardian reports. Guardian however also logs connections made to HTTPS servers where the content of that communication has not been intercepted.Reporting Sections These options can be turned on individually for the protocol. those being Almost blocked. The reasoning why the page was banned can be determined by adding the include status option on those reports which support it. Exception – The site in question was not filtered for one of several reasons. Guardian Status Filtering Each URL which passes through Guardian is subjected to a level of filtering. A URL may contain one or more of the following status messages. If the connection is being subjected to HTTPS interception then the requests within the connection are additionally logged. HTTPS connections start with a HTTP CONNECT request. Additionally setting the URL to include the string https:// will return only those results which have been HTTPS intercepted as it restricts the results to those which are via the HTTPS protocol and using a connection method other than CONNECT. the client IP/Group is not subject to filtering etc. HTTP Request Methods and HTTPS Interception The nature of HTTPS interception means that in essence a HTTPS intercepted site should be treated no differently to a non-HTTPS site in terms of its logging. temporarily bypassed. The meaning of these is covered below. Almost blocked – This denotes any result whose score for phrase analysis was between 90 and 100 (the default score over which a result is blocked). Note however that this can change the ordering of the results.

‘for’. filtering by search term and selecting banned search terms. This section has a few peculiarities to its options which will be covered below. ‘who’. Note that a list of Blocked search phrases can be achieved by use of the Guardian status denied option under the Guardian status options. ‘on’. Words such as ‘and’. Additional filtering options for username. Search terms. Search Terms and Search Phrases There are three facets to the search term reporting on a Guardian system. Note that the search term reporting will treat any quoted strings as a single search word. ‘be’. ‘in’. For example: Searching for ‘babylon 5’ earth destroyer would be considered to be three search words. or phrases that have been encountered within the Guardian filtered URLs. ‘of’. or to enforce AUP concepts such as safe search. group. ‘the’. however search filtering can be made case sensitive by usage of the case sensitive search option under the advanced options for this report. ‘of’ and ‘the’ are usually omitted by most search engines and this can be taken into consideration by using the option individual (uncommon) search terms on the search term matching drop-down box. this list is as follows: ‘i’. however the section is essentially designed to show the top search terms. or the entire phrase which was searched for. ‘or’. ‘und’. ‘earth’ and ‘destroyer’ and one search phrase. ‘will’. Discovering search terms and showing them is achieved with the search engine search strings and terms report section. ‘are’. ‘en’. ‘with’. ‘the’ and ‘www’. Search terms are denoted as being either an individual word. Both search terms and phrases can optionally be considered as regular expression matches via the appropriate option under the advanced options. This might be due to a security rule (such as removing JavaScript etc). ‘la’. ‘was’. ‘where’. ‘this’. ‘an’. searching of search terms. 325 . ‘at’. ‘by’. about’. ‘a’. ‘de’. ‘when’. ‘it’. ‘babylon 5’. ‘is’. The list of common search terms is taken to be the list of words omitted by the Google search engine. ‘what’. ‘that’.Smoothwall Advanced Firewall Administrator’s Guide Modified – Determines content which was modified as it passed through the Guardian filter. ‘com’. unlike search phrases can additionally be restricted to omit grammatical sugar or stop words. ‘from’. ‘as’. Search words and phrases are assumed to be case insensitive. as the vast majority of searches are done regardless of capitalization. ‘to’. client IP address and Guardian status are presented for this report. ‘how’.

The protocol and domain fields in the URL 326 .Reporting Sections Filtering by Search Terms As explained earlier individual Guardian reports can be filtered by the search terminology they contain. URL Extraction and Manipulation The Advanced Firewall reporting system for Guardian contains an advanced reporting section called URL interpretation and reporting which allows for a sophisticated set of URL manipulations to be conducted to extract information from the Guardian logs. changing the number of results or any username. For example it is possible to show the top ten domains which contained a search request for the word badger. those options which are not are grayed out in the example above and will be omitted from any further discussion as they apply the expected limitations on the search results. however only a few of them are relevant to the discussion of its operation. To search for blocked search terms this filter can be used in combination with the Guardian status filters. client IP address or group filter etc. The most important option for this report section is the URL. This filtering is achieved by using the individual report sections Search term matching options presented under an individual section’s advanced options. Note that all search term filters operate over the search phrase rather than individual words and can optionally be changed to using regular expression matches rather than the default mode of operation which is strings containing this phrase. which in this example is a regular expression URL which refers to the BBC news web site. This reporting section has a lot of reasonably complicated options.

This can be straight text. this reconstructed URL is included in the report alongside the match. This includes the ability to extract a YouTube video name from a YouTube video ID. In this example.uk address version. In these cases the reconstructed URL is a potential URL that might have been used. would be used to uniquely identify this URL. This value is subsequently used to uniquely identify the relevant URLs before producing a list of the top matches. being the value of 7878769 or the article number. however the system would then have to construct a probable URL for the content. To elaborate on this matter both of the following URLs: http://www. The options of Match to compare domain to and Match to compare parameters to allow for values to be substituted into the appropriate URL regular expression match to further filter the URL. the top news articles. they do not contain any regular expression matches (anything in brackets) and as such will not be used for anything further in this report section.uk/get_video?video_id=6rNgCnY1lPg are for the same video. The parts of the URL extracted by these matching parts of the URL regular expression are labelled 1 and 2 respectively and the appropriately labelled term will be used by the Match to extract from parameters and Match to compare parameters to fields to further analyze the URL. When this option is ticked. Recognise common URLs – This option allows the reporting system to recognise common URLs for known sites. and could be matched accordingly (giving two hits for this video). or can reference one of the result’s feedforward values by means of a wildcard. the URL is rarely of interest to anyone viewing the resultant report although by default it would be included as the section title for the feed-forwarded results.stm The two matches would provide technology and 7878679 as matches. For this purpose it is possible to override the title used for the feed-forward sections by entering a value into the results title box. The parameters field however does contain two regular expression matches. Of these two parameters one is the section from the BBC news site this article is from. This would mean that entering the option technology into the Parameter match field would produce the top 50 news articles from the technology section of the BBC News web site. the parts between the opening and closing brackets. $3 etc) to extract from the URL for the purposes of identifying unique content.co. some sites such as YouTube for example can host several different URLs for the same video ID. which would in this example reference either the . $2. thus for each of the reconstituted URLs the system would retrieve the HTML (. or the ability to extract a page title from a HTML page’s header.uk/1/hi/technology/7878769.bbc.youtube. In this example we can see that the option is enabled. ( ). in this case. extract the <title> section from the page header and include it in the report. Domain match and Parameter match – these options allow for additional information to be fed into the searching and will replace particular matches in the URL with the appropriate values. Results title – This report section is feed-forward enabled and can produce a list of regular expression URLs to identify and extract matching content. Note. in this case.youtube.stm) page from the BBC News web site. even if it is not the actual URL that was encountered. However.co.com or .com/get_video?video_id=6rNgCnY1lPg http://www. the other is the article name. Rebuild and include example URL – As part of its drill down and feed-forward abilities the URL extraction report section reconstitutes a probable URL for the linked material. The Match to extract from domain and Match to extract from parameters options present which regular expression match ($1.Smoothwall Advanced Firewall Administrator’s Guide in this example are reasonably straight forward. In the above example the Match to compare parameters to value is 1 which means that the value entered into the Parameter match box would be substituted into $1 in the URL.co. in this example we can see that the parameter match 2. 327 . if a BBC news article URL is considered: http://news. there are two matches which are extracted from the URL.

or internal web sites which may be processed by Guardian but outside of the scope of the standard templates. %parametermatch% or %url% could be used.Reporting Sections In the above example. The URL once again contains a series of regular expression matches. Origin Filtering Advanced Firewall contains the ability to aggregate reports over several different machines. Several Advanced Firewalls for example can be used as a cluster of web content filters or alternatively the system might be configured to receive the browsing activity from several mobile users via the MobileGuardian content filter. this time the domain also includes a series of wildcards (. or class of machines. Alternatively values of %domainmatch%. %matchtitle% would be the <title> extracted from the relevant HTML page. This means that the section can easily be tailored to accommodate new web sites. the URL extraction section provides one of the most flexible tools for extrapolating information about particular web sites with no in-built understanding of the site.*) to accommodate YouTube being hosted via multiple domains. we can see that %matchtitle% is used as the value. Note: The list of originating systems does not include a list of individual MobileGuardian installations as there may be several dozen or more of these. The origin filter on a Advanced Firewall report allows for the class of machine or in some cases the individual machine to be used to restrict the results. which would present the feed-forward result of matchtitle as the title for any feed-forward sections. In this case. In this manner. This identifier can be used to filter particular results to have originated from a particular machine. In this example the URL extraction section is being used to display the top 50 video results from the YouTube site. sub-domains and TLDs. 328 . When these results are aggregated onto a central reporting Advanced Firewall system they each contain a unique identifier to state where they came from.

329 .Smoothwall Advanced Firewall Administrator’s Guide Note: The recommended configuration for MobileGuardian installations is to have MobileGuardian derive its configuration from a specific authentication group and so the default template reports have been constructed with that in mind. By default MobileGuardian filtering would be achieved using a group filter for the appropriate group however should more advanced processing be required the Origin filter could be used instead.

Reporting Sections 330 .

For example: • Hosts on static IPs should use the hostname for the gateway as the ID.168. there must be a default route (gateway). hubs and cables etc. • Verify the symmetry in the tunnel specification. In particular. unless they are using an unusual client that requires one. • To simplify the problem. Check that it is possible to ping the IP address of the RED (Internet) NIC on both Smoothwall Systems. • There is a problem at your Internet Service Provider • Advanced Firewall has ping disabled via the admin interface • Verify IP addresses by checking the Networking > Interfaces > Interfaces page for the appropriate Ethernet card. 331 . Specifically. • Verify with the ISP that VPN traffic is not being blocked by any firewall or router used by the ISP. if the tunnel goes into OPEN mode but no packets will flow between the two networks. it is possible that one of the ISPs involved is blocking the ESP or AH packets.Appendix C Troubleshooting VPNs In this appendix: • Solutions to problems with VPNs. they cannot both use the default of 192. • A different local network address must be configured at both ends of the tunnel. Site-to-site Problems All the PCs that are to participate in the VPN need to be fully operational and visible on the network before attempting to install and configure VPN software. This is where most people make mistakes. attempt to get a connection with shared secrets before moving on to certificates.e. i. ensure there is no conflict with another network address. • Each node on the VPN network must have its own unique certificate. • Check the routing information displayed in Advanced Firewall's status page. Likewise.0. Obviously fields like company name can be common to all certificates. Be consistent with IDs.0. that the IDs. ESP mode uses IP protocol 50. • Clients should usually not use an ID. At least one field in the subject must be different. AH mode uses IP protocol 50. The subject is a composite of the information fields supplied when the certificate is created. Failure to get a ping echo would indicate that: • The remote Advanced Firewall is not running • You have the wrong IP address for the remote Advanced Firewall • There is a network connection problem – check routers. Likewise the Alt (Alternative) Name field must be unique for each certificate. IP addresses and Remote network addresses are mirrored. • Hosts on dynamic IPs should use the administrator's email address.

Enabling L2TP Debugging In a default configuration. Note that the error messages produced by the L2TP client can be somewhat strange.aspx?scid=kb. There must be a CA certificate. you can also enable debug logging on the Windows client. because the vast majority of parameter values are predefined it is generally not likely for an IPSec protocol error other then a certificate problem to occur. Windows Networking Issues In order to facilitate network browsing under Microsoft Windows across the VPN. for instance. 332 . and the time is set incorrectly by only an hour or so. or 0 to disable it. as well as a host certificate. This can make diagnosing problems difficult if the logs on the Advanced Firewall gateway are not sufficient for finding the cause or causes of connection issues.microsoft. First of all. The most likely reason for a failure at this stage is an incorrect or invalid certificate. If you are familiar with setting up multiple subnets of Windows machines. As a last resort. The same problems that can occur with any other type of IPSec connection can also occur with an L2TP road warrior. then the problem to be solved is the same. If a road warrior were to connect in. though. Check the IPSec logs first when looking for causes of problems. you must create a registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakle y Add a REG_DWORD value named 'EnableLogging'.en-us. single subnet Windows networks.L2TP Road Warrior Problems L2TP Road Warrior Problems The most likely problem with L2TP road warriors is establishing the initial IPSec transport connection. From the command line: net stop policyagent followed by: net start policyagent The log file will be in Windows system directory: \debug\oakley. the VPN service must be restarted. verify the correct certificate is installed using the Microsoft MMC tool. it would be unable to browse the network unless the administrator has configured the network to enable it. To enable IPSec-level logging if you are using Windows 2000 or XP. the connection will be refused because the certificate is not valid. Incorrectly altering registry values may result in registry corruption and render the computer unusable.log The following URL is Microsoft's own guide to debugging L2TP connection problems: http://support. This is because network broadcasts do not normally cross network boundaries. it is necessary to make sure both ends of the tunnel are properly configured. In these small networks. MMC has facilities for verifying that a host certificate is recognized as being valid. However. In small.325034 Note: Smoothwall does not endorse manually editing the registry. Microsoft's L2TP client does not produce any log files. such as routers and VPNs. This problem is exactly what Windows network administrators experience when connecting two or more subnets via a router. Modem not responding can mean that there was an IPSec certificate error. network browsing is facilitated via network broadcasts.com/default. Also verify the certificate is within its valid time window. After changing this value. If the certificate is newly created. Set the value to 1 to enable logging. network neighborhood will just work without any configuration required. present in the system.

Each of your desktop machines and servers should be configured to use the central WINS server in its network properties box. you will require a WINS server. it is necessary to set-up either one WINS server and share it between the subnets. attach to printers and shares. etc. the details depend on the client in use. The built in L2TP client for Windows can be configured to accept WINS and DNS server settings from the server. the following notes are provided to assist with configuring your network to enable network browsing across the VPN. This WINS server is analogous to a DNS server for the Windows machines. In more complex arrangements. they should be able to browse the office network. For NT networks. normally running on your PDC.Smoothwall Advanced Firewall Administrator’s Guide In the case of road warrior connections. These parameters are configured in the Global Settings page. or have one on each and configure a replicating system between the two. Any road warriors connecting in should also be set to use this WINS server. the problem to be resolved is identical to that which the administrator would face with two normally routed networks. Again. 333 . If this is done then when they are connected to the office network via the VPN. such as two subnets of Windows machines with a VPN between the two. For inexperienced Windows administrators.

Windows Networking Issues 334 .

1.3 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .255.1.1.168.1.254.1.255.1.1. Within the DMZ there are two servers: Web server .1.2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.2 Destination IP: 192.168.168.e.3 Destination IP: 192.2.1 through to 192.1.1.1. it can support host IP addresses of 192.1.0 Comment: External Alias .3 Destination IP: 192. To configure this scenario: 1 First create the external aliases: Alias IP: 216.255. Mail server .1.0 Comment: External Alias . Basic Hosting Arrangement In this example.1.168.3 and present an external IP address of 216.3.0/24.255.3 | Netmask: 255.2 and present an external IP address of 216.1.1.1. add the port forwards: Protocol: TCP External IP: <BLANK> Source IP: 216.168.3 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .168.3 – This server will have an internal IP address of 192.2 | Netmask: 255. i.1.168.1.3 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.3 Next.1.2 – This server will have an internal IP address of 192.168.2 2 Alias IP: 216.1.1. a DMZ has been configured with a network address of 192.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 POP3 335 .Appendix D Hosting Tutorials In this appendix: • Examples of hosting using Advanced Firewall.

2 – This server will have an internal IP address of 192. Within the DMZ are three servers: Web server .1.1.2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.0 Comment: External Alias .0 Comment: External Alias .254.168.1.1.0/24 Source IP: 216. Web server . Mail server .100. a DMZ has been configured with a network address of 192.1.0.1.1.2 HTTPS Protocol: TCP External IP: 100.1.4 To configure this scenario: 1 First create the external aliases: Alias IP: 216.2 Source IP: 192.168.3 | Netmask: 255. It should only be accessible to external hosts in the range 100.1.1.1.2 Alias IP: 216.1.168.4 – This server will have an internal IP address of 192.e.2 | Netmask: 255.2 Destination IP: 192.3 Source port: HTTP (80) 336 .2 Comment: Web Server .1.1.1.3 2 Alias IP: 216. it can support host IP addresses of 192.168.1.3 | Alias IP: 216.255. add the source mappings: Source IP: 192.168.168.3.2 Destination IP: 192.0 Comment: External Alias .100.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .168.101.4 Next.255.168.100.1.1.1.4 and present an external IP address of 216.1.1.168.255. It supports both HTTP and HTTPS.3 – This server will have an internal IP address of 192.2.1.1.2 Source port: HTTPS (443) Destination port: HTTPS (443) Comment: Web Server .0/24.168.168.1.Extended Hosting Arrangement 3 Finally.1.1 through to 192.255.1.1.3 Destination IP: 192.3 Comment: Mail Server .3 Extended Hosting Arrangement In this example.2 and present an external IP address of 216.0/24 and 100.1.1.4 | Netmask: 255.255.1. add the port forwards: Protocol: TCP External IP: <BLANK> Source IP: 216.100.1.3 and present an external IP address of 216.2 | Alias IP: 216.1.255.100. i.1.

168.4 | Alias IP: 216. 192.3 Source IP: 192.1.2 Source IP: 192.1.1.1.1.100.3 | Alias IP: 216.Smoothwall Advanced Firewall Administrator’s Guide Destination port: HTTP (80) Comment: Web Server .168.2 Comment: Web Server .1. A local private network.4 SMTP 3 Protocol: TCP External IP: <BLANK> Source IP: 216.1.4 Comment: Mail Server .4 Destination IP: 192. Internal IP: 192.3 HTTP Protocol: TCP External IP: 100.168.4 – External IP: 216. Internal IP: 192.4.1.0/24 contains 5 servers: Web Server . bridged to SQL Server .6.1.1.4 POP3 Finally. 337 .0/24 Source IP: 216. Virtual Web Server .1.1.5 – External IP: 216.4 More Advanced Hosting Arrangement In this example.5.168.1. a DMZ has been configured with a network address of 192.1.1.3.2 – Internal IP: 192.0.2.1.168.168.10.3 – Internal IP: 192.1 through to 192. same physical host as Virtual Web Server .168.1.10.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server . A DMZ network.168.1. it can support host IP addresses of 192.1.168.168.2.1.1.1. Internal IP: 192.1.2 – External IP: 216.e.168.1.168.4 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .1.4.3. 192.2 | Alias IP: 216.0/24 contains 3 servers: SQL Server .168.168. add the source mappings: Source IP: 192.3 Destination IP: 192.168.4 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .3 – External IP: 216.3 Comment: Web Server .1.10.1. i.2 Mail Server [int] .254.10.1.3 Intranet Web Server .1.1. restricted users.1.4 Destination IP: 192. Internal IP: 192. Web Server .10.5.3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.2.1.168.1.168.

255.1.1. Mail Server [ext.1.1.5.168.0 Comment: External Alias .4 HTTP Protocol: TCP 338 .4 Destination IP: 192. Internal IP: 192.7.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .1. Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.5 Alias IP: 216.More Advanced Hosting Arrangement Virtual Web Server .255.3.168.1.1.255.6.1. Mail Server [ext.7.7.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .255.1.5.5 | Netmask: 255.1.2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.6 | Netmask: 255. same physical host as Virtual Web Server .0 Comment: External Alias .255.3 Destination IP: 192.4 Source port: HTTP (80) Destination port: HTTP (80) Comment: Intranet Web Server .0 Comment: External Alias .255.1.255. for outgoing mail.6 2 Alias IP: 216.0 Comment: External Alias .0 Comment: External Alias .6 – External IP: 216.0 Comment: External Alias .168.168. out] – External IP: 216.1.1.1. relaying to Mail Server [int] .1.168.1.4 Alias IP: 216.1.1. add the port forwards: Port forwards for example 3.2 | Netmask: 255.10.255.7 Next.168. in] – External IP: 216.1.3 Alias IP: 216.255.7 | Netmask: 255.3 | Netmask: 255.1.255.255.1.3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1. Internal IP: 192.255.4 | Netmask: 255. Internal IP: 192.6.2 Destination IP: 192. To configure this scenario: 1 First create the external aliases: Alias IP: 216.1.2 Alias IP: 216.1.

10.168.] .5 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.3 Finally. Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.2 to SQL Server .2 Destination port: User defined.1.1.1.1.7 Destination IP: 192.6 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216. Source IP: 192.Smoothwall Advanced Firewall Administrator’s Guide External IP: <BLANK> Source IP: 216.7 to Mail Server [int.1.168.1.7 POP3 Next.1.2 4 Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.168.1.1.1.7 Destination IP: 192.2 | Alias IP: 216.1. 3306 Comment: Web Server .6 Destination IP: 192.1. in] .168.2 Comment: Web Server .10.7 Destination IP: 192.7 SMTP 3 Protocol: TCP External IP: <BLANK> Source IP: 216. add the source mappings: Source mapping for example 3.7 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server . add the zone bridges: Zone bridging for example 3.168.1.2 Destination IP: 192.1.1.7 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .1.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .168.3 Destination port: SMTP (25) Comment: Mail Server [ext.1.5 Destination IP: 192.168.168.2 339 .168.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .

5 & .1. out] .More Advanced Hosting Arrangement Source IP: 192.168.4 | Alias IP: 216.1.168.1.168.3 Source IP: 192.1.10.168.1.6 Source IP: 192.1.4 Source IP: 192.6 | Alias IP: 216.3 | Alias IP: 216.5 | Alias IP: 216.1.1.1.6 Comment: Mail Server [ext.1.4 Comment: Intranet Web Server .1.5 Comment: Virtual Web Server .3 Comment: Web Server .6 340 .

AH (Authentication Header) Forms part of the IPSec tunnelling protocol suite. an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it. ARP (Address Resolution Protocol) A protocol that maps IP addresses to NIC MAC addresses. The policy explains the organization’s position on how its users should conduct communication within and outside of the organization both for business and personal use. AES provides high security with fast performance across multiple platforms. Active Directory Microsoft directory service for organizations. AH sits between the IP header and datagram payload to maintain information integrity. Authentication The process of verifying identity or authorization. processes. ARP Cache Used by ARP to maintain the correlation between IP addresses and MAC addresses. 3DES A triple strength version of the DES cryptographic standard. 192-bit and 256-bit. ActiveX* A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser. Access is only be granted when you use the two together. AES supports key lengths of 128-bit. B Bandwidth Bandwidth is the rate that data can be carried from one point to another. users and computers. Alias or External Alias – In Smoothwall terminology. used together with something you have. but not secrecy. an alias is an additional public IP that operates as an alternative identifier of the red interface. or systems. AUP (Acceptable Use Policy) An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organization’s email and Internet systems. usually using a 168-bit key. AES (Advanced Encryption Standard) A method of encryption selected by NIST as a replacement for DES and 3DES.Glossary Numeric 2-factor authentication The password to a token used with the token. It contains information about organizational units. A Acceptable Use Policy See AUP Access control The process of preventing unauthorized access to computers. Algorithm In Smoothwall products. programs. In other words: 2-factor authentication is something you know. Measured in Bps 341 .

Denial of Service Occurs when a network host is flooded with large numbers of automatically generated data packets. DES is scheduled for official obsolescence by the US government agency NIST. non-permanent network connection. C CA (Certificate Authority) A trusted network entity. Cracker A malicious hacker. Dynamic IP A non-permanent IP address automatically assigned to a host by a DHCP server. Ciphertext Encrypted data which cannot be understood by unauthorized parties. DHCP (Dynamic Host Control Protocol) A protocol for automatically assigning IP addresses to hosts joining a network. Certificates are created by CAs. Cryptography The study and use of methods designed to make information unintelligible. Client Any computer or program connecting to.(Bytes per second) or Kbps. 342 . DMZ (Demilitarized Zone) An additional separate subnet. Cross-Over Cable A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection. This can be exploited by hackers to execute malicious code. Certificate A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. BIN A binary certificate format. Ciphertext is created from plain text using a cryptographic algorithm. Cipher A cryptographic algorithm. isolated as much as possible from protected networks. D Default Gateway The gateway in a network that will be used to access another network if a gateway is not specified for use. another computer or program. Domain Controller A server on a Microsoft Windows network that is responsible for allowing host access to a Windows domain's resources. or requesting the services of. Dial-Up A telephone based. responsible for issuing and managing x509 digital certificates. DER (Distinguished Encoding Rules) A certificate format typically used by Windows operating systems. 8-bit compatible version of PEM. DES (Data Encryption Standard) A historical 64-bit encryption algorithm still widely used today. The receiving host typically slows to a halt while it attempts to respond to each request. established using a modem. Buffer Overflow An error caused when a program tries to store too much data in a temporary storage area. DNS (Domain Name Service) A name resolution service that translates a domain name to an IP address and vice versa.

lists of file types and replacement rules. Green In Smoothwall terminology. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser. F Filter A filter is a collection of categories containing URLs. phrases. 343 . domains. See NIST. H Hacker A highly proficient computer programmer who seeks to gain unauthorized access to systems without malicious intent. Exploit A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service. Encryption The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. green identifies the protected network. G Gateway A network point that acts as an entrance to another network. FIPS Federal Information Processing Standards. Hostname A name used to identify a network host. Firewall A combination of hardware and software used to prevent access to private network resources.Smoothwall Advanced Firewall Administrator’s Guide Dynamic token A device which generates one-time passwords based on a challenge/response procedure. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it. HTTP (Hypertext Transfer Protocol) The set of rules for transferring files on the World Wide Web. email client and groupware applications (such as shared calendars). Exchange Server A Microsoft messaging system including mail server. E Egress filtering The control of traffic leaving your network. Host A computer connected to a network. Hub A simple network device for connecting networks and network hosts. HTTPS A secure version of HTTP using SSL. ESP (Encapsulating Security Payload) A protocol within the IPSec protocol suite that provides encryption services for tunnelled data.

localized geography. LAN (Local Area Network) is a network between hosts in a similar. For example. the greater the key space. It is chiefly used by networked computers' operating systems to send error messages indicating. L L2F (Layer 2 Forwarding) A VPN system. IDS Intrusion Detection System Internet Protocol IPS Intrusion Prevention System IP Address A 32-bit number that identifies each sender and receiver of network data. IPSec Passthrough A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through. Given an algorithm. MX Record 344 (Mail eXchange) An entry in a domain name database that specifies an email server to . Kernel The core part of an operating system that provides services to all other parts the operating system. that a requested service is not available or that a host or router could not be reached. the system locks out the user. After three attempts. the key determines the mapping of plaintext to ciphertext.I ICMP (Internet Control Message Protocol) One of the core protocols of the Internet protocol suite. Leased Lines (Or private circuits) A bespoke high-speed. The key space is the number of bits needed to count every distinct key. K Key A string of bits used with an algorithm to encrypt and decrypt data. IPtables The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities. IPSec (Internet Protocol Security) An internationally recognized VPN protocol suite developed by the Internet Engineering Task Force (IETF). L2TP (Layer 2 Transport Protocol) A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols. developed by Cisco Systems. high-capacity site-to-site network that is installed. a three try limit when entering a password. The longer the key length (in bits). leased and managed by a telephone company. Key space The name given to the range of possible values for a key. Lockout A method to stop an unauthorized attempt to gain access to a computer. ISP An Internet Service Provider provides Internet connectivity. M MAC Address (Media Access Control) An address which is the unique hardware identifier of a NIC. for example.

PEM (Privacy Enhanced Mail) A popular certificate format. PKCS#12 (Public Key Cryptography Standards # 12) A portable container file format for transporting certificates and private keys. N NAT-T (Network Address Translation Traversal) A VPN Gateway feature that circumvents IPSec NATing problems. should a key currently in use be compromised. used to authenticate a user as authorized to access a computer or data. used to secure previous VPN communications. Phase 1 negotiates the security parameter agreement. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up. PKI (Public Key Infrastructure) A framework that provides for trusted third party vetting of.Smoothwall Advanced Firewall Administrator’s Guide handle a domain name's email. PFS See Perfect Forward Secrecy Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. The public keys are typically in certificates. optionally time settings and authentication requirements. and binding of public keys to users. known only to the authorized user(s) and the system. NIC Network Interface Card NIST (National Institute of Standards and Technology) NIST produces security and cryptography related standards and publishes them as FIPS documents. Plaintext Data that has not been encrypted. Policy Contains content filters and. Ping A program used to verify that a specific IP address can be seen from another. or ciphertext that has been decrypted. It is a more effective solution than IPSec Passthrough. Port Forward A firewall rule that routes traffic from a receiving interface and port combination to 345 . to determine how Advanced Firewall handles web content and downloads to best protect your users and your organization. user identities. NTP (Network Time Protocol) A protocol for synchronizing a computer's system clock by querying NTP Servers. O OU An organizational unit (OU) is an object used to distinguish different departments. Phase 2 Phase 2 of 2 phase VPN tunnel establishment process. P Password A protected/private string of characters. Perfect Forward Secrecy A key-establishment protocol. Port A service connection point on a computer system numerically identified between 0 and 65536. Port 80 is the HTTP port. sites or teams in your organization. and vouching for.

another interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. rules are used to determine what traffic is allowed to move from one network endpoint to another. red is used to identify the Unprotected Network (typically the Internet). Public Key A publicly available encryption key that can decrypt messages encrypted by its owner's private key. Only the corresponding public key can decrypt messages encrypted using the private key. Proxy An intermediary server that mediates access to a service. Route A path from one network point to another. typically a travelling worker 'on the road' requiring access to a organization’s network via a laptop. Protocol A formal specification of a means of computer communication. Road Warrior An individual remote network user. RIP (Routing Information Protocol) A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are. Private Key A secret encryption key known only by its owner. Red In Smoothwall. It should 346 . PPP (Point-to-Point Protocol) Used to communicate between two computers via a serial interface. Routing Table A table used to provide directions to other networks and hosts. S Security policy A security policy is a collection of procedures. PuTTY A free Windows / SSH client. RAS has been largely superseded by VPNs. QOS is a contractual guarantee of uptime and bandwidth. R RAS (Remote Access Server) A server which can be attached to a LAN to allow dial-up connectivity from other LANs or individual users. Rules In firewall terminology. PSK (Pre-Shared Key) An authentication mechanism that uses a password exchange and matching process to determine authenticity. Q QOS (Quality of Service) In relation to leased lines. Usually has a dynamic IP address. Private Circuits See Leased Lines. PPTP (Peer-to-Peer Tunnelling Protocol) A widely used Microsoft tunnelling standard deemed to be relatively insecure. standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. A public key can be used to send a private message to the public key owner. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.

Smart card A device which contains the credentials for authentication to any device that is smart card-enabled. in practice. typically between two business sites. and terminating an interactive user session that involves multimedia elements such as video. Tunneling The transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. it becomes impossible to break the system within a meaningful time frame. 347 . VPNs require minimal client configuration. Site-To-Site A network connection between two LANs. a computer that provides shared resources to network users. online games. SSL VPN A VPN accessed via HTTPS from any browser (theoretically). Squid A high performance proxy caching server for web clients.Smoothwall Advanced Firewall Administrator’s Guide include password. Subnet An identifiably separate part of an organization’s network. account and logging policies. Switch An intelligent cable junction device that links networks and network hosts together. SSL A cryptographic protocol which provides secure communications on the Internet. Syslog A server used by other hosts to remotely record logging information. Single Sign-On (SSO) The ability to log-in to multiple computers or servers in a single action by entering a single password. voice. Spam Junk email. administrator and user rights and define what behavior is and is not permitted. usually unsolicited. U User name / user ID A unique name by which each user is known to the system. SSH (Secure Shell) A command line interface used to securely access a remote computer. Commonly used in VOIP applications. by whom and under what circumstances. SIP (Session Initiation Protocol) A protocol for initiating. SQL Injection A type of exploit whereby hackers are able to execute SQL statements via an Internet browser. instant messaging. Usually uses a static IP address. modifying. and virtual reality. Strong encryption A term given to describe a cryptographic system that uses a key so long that. T Triple DES (3-DES) Encryption A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES. Server In general.

VPN Gateway An endpoint used to establish.V VPN (Virtual Private Network) A network connected together via securely encrypted communication tunnels over a public network. such as the global Internet. manage and control VPN connections. X X509 An authentication method that uses the exchange of CA issued certificates to guarantee authenticity. 348 .

128. 15 censoring 95 central management 291 about 291 pre-requirements 291 central management key 293 centrally manage 291 349 .Index 1s t Ed n it accessing 4 active directory cache timeout 196 domain 196 extra realm 203 password 196 status 196 tenants 196 username 196 active directory legacy cache timeout 201 discover kerberos realms through dns 202 extra group search roots 202 extra realms 203 extra user search roots 202 kerberos realm 201 netbios domain name 202 password 201 port 202 sam account name 202 server 201 server username 201 status 201 tenants 201 user search root 202 admin 3 admin options 14 administration 14 administration login failures 228 administrative users 14 adsl modem settings 28 advanced 8 AIM 95 aim 95 alert im proxy monitored word 228 alerts 5. 193 choosing 302 diagnostics 193 mechanisms 301 time-out 193 automatic whitelisting 95 io A B banned users 216 black-list users 95 bond 34 bridge 33 bridging groups 63 rules 59 zones 59 byod 213 C ca 14. power supply status warning 228 vpn tunnel status 228 application helper 70 ftp 70 h323 passthrough support 70 irc 70 pptp client support 70 archives 13 arp filter 54 arp table size 54 audit 55 authentication 9. 228 administration login failures 228 email 257 email to sms 257 email virus monitor 228 external connection failover 228 firewall notifications 228 hardware failover notification 228 hardware failure alerts 228 health monitor 228 inappropriate words in im 228 intrusion detection system monitor 229 l2tp vpn tunnel status 228 license expiry status 228 output system test messages 228 settings 5 smoothrule violations 228 smoothtunnel vpn certificate monitor 228 system boot (restart) notification 229 system resource monitor 228 system service monitoring 228 traffic statistics monitor 228 update monitoring 229 ups.

Index t D 1s database 224 settings 6 datastore 224 deep packet inspection 74 default interface 20 users 216 denial of service 52 detection policies 114 dhcp 12 custom options 12 leases 12 relay 12 server 12 dhcp ethernet 22 settings 23 diagnostics 14. 105 documentation 1 DoS 53 dpi 74 E it io n ECN 54 email 5. 78 editing 79 removing 79 F Ed certs 15 ca 14 child node 293 cluster 291 configuration tests 14 connection methods 20 dial-up modem 30 ethernet 20 ethernet/modem hybrid 20 isdn modem 28 modem 20 connection profiles 20 creating 20 deleting 33 modifying 33 connection tracking 54 connections 19 connectivity 7 console connecting via 17 control 15 control page 4 create 5 csv 295 importing nodes 295 csv files 295 custom categories 11 custom signatures 118 failover 14. 199. 99 G gadugadu 95 global 12. 200 dns 11. 193 dial-up modem 30 directories 9 directory settings 194 prerequisites 195. 279. 15 group bridging 7. 216 banned users 216 default users 216 mapping 205 network administrators 216 renaming 216. 63 groups 6. 70. 217 unauthenticated ips 216 H h323 passthrough support 70 hardware 14 failover 280 hardware Failover 279 hardware failover notification 228 hardware failure alerts 228 health monitor 228 . 280 failover unit 283 master 281 filtering 7 filters 11 firewall 5. 6 accessing browser 4 connecting 17 notifications 228 firmware upload 14 ftp 10. 6 email to sms 257 email virus monitor 228 enable arp filter 54 ethernet 20 External 228 external access 14 aliases 7 external connection failover 228 external services 8. 105 dynamic 11 proxy 11 proxy service 106 350 static 11. 9.

93 block file transfers 95 blocked response 95 blocked response message 95 censor 95 intercept ssl 95 logging warning 95 logging warning message 95 protocols aim 95 gadugadu 95 icq 95 jabber 95 msn 95 proxy 93. 11 igmp 53 IGMP packets 53 im 93 hide conversation text 95 proxy 5 im proxy 6 inappropriate words in im 228 information 4 instant messenger 9.Smoothwall Advanced Firewall Administrator’s Guide defining 43 block 7 tools 14 ips 6. 6 roadwarriors 15 subnets 15 irc 70 isdn modem 28 settings 29 isp 20 heartbeat 279 hide conversation text 95 hostname 13 https 4 hybrid 20 I J K t 1s n jabber 95 io kerberos keytabs 9 L l2tp roadwarriors 15 l2tp vpn tunnel status 228 layer 7 application control 74 ldap directory bind method 197 cache timeout 198 discover kerberos realms through dns 199 extra group search root 198 extra realms 199 extra user search roots 198 group search roots 198 kerberos realm 197 password 197 port 198 server 197 status 196 tenants 197 user search root 198 username 197 license expiry status 228 licenses 13 local users 203 activity 208 adding 204 configuring 203 deleting 205 editing 205 managing 204 status 203 tenants 203 log retention 224 log settings 6 logs 6 email 245 enable remote syslog 252 remote syslog server 252 it Ed icmp 53 ICMP ping 53 ICMP ping broadcast 53 ICQ 95 ids 6. 69 ipsec 5. 94 instant messenger proxy enable 94 enabled on interfaces 95 exception local IP addresses 96 interface bond 34 bridge 33 interfaces 7 internal aliases 7 inter-zone security 59 intrusion detection 11 intrusion detection system 11 intrusion system 114 custom policies 117 detection policies 114 policies 114 prevention policies 115 intrusion system monitor 229 ip address 351 .

8 source mapping 46 node 297 add 294 child 293 child delete 297 child edit 296 configure child 13 csv 295 delete 297 disable 299 edit 296 import 295 local settings 13 manage 297 monitor 297 parent 292 reboot 299 review 297 update 299 O OpenVPN 162 outbound access port rules 72 source rules 76 outgoing 8 output settings 6 output system test messages 228 P pages central management 13 info 352 alerts 5 alerts 5 custom 5 logs 6 firewall 6 ids 6 im proxy 5. 20 settings 31 modules 13 MSN 95 multicast traffic 53 1s t Ed it N network administrators 216 interface 19 networking 6.Index retention 252 M io n mac spoof 23 maintenance 13 master 281 message censor 11 custom categories 11 filters 11 time 11 Microsoft Messenger 95 modem 14. 8 filtering 7 group bridging 7 ip block 7 zone bridging 7 firewall 8 advanced 8 port forwarding 8 source mapping 8 interfaces 7 connectivity 7 external aliases 7 interfaces 7 internal aliases 7 ppp 8 secondaries 8 outgoing 8 external services 8 policies 8 ports 8 routing 7 ports 7 rip 7 . 6 ips 6 ipsec 6 system 6 web proxy 6 realtime 5 firewall 5 ipsec 5 portal 5 system 5 traffic graphs 5 reports reports 5 saved 5 scheduled reports 5 settings alert settings 5 database settings 6 groups 6 log settings 6 output settings 6 information 4 logs and reports settings datastore 224 main 4 networking 6.

78 modes 72 preset 72 it Ed sources 7 subnets 7 settings advanced 8 port groups 8 services 8 authentication 9 directories 9 groups 9 kerberos keytabs 9 settings 9 ssl login 9 temporary bans 9 user activity 9 wpa enterprise 9 dhcp dhcp custom options 12 dhcp leases 12 dhcp relay 12 dhcp server 12 global 12 dns 11 dns proxy 11 dynamic dns 11 static dns 11 ids 11 intrusion system detection 11 policies 11 signatures 11 message censor 11 proxies 9 ftp 10 im proxy 9 sip 10 web proxy 9 snmp 11 user portal 9 groups 9 portals 9 user exceptions 9 system administration 14 admin options 14 administrative users 14 external access 14 central management child nodes 13 local node settings 13 overview 13 diagnostics 14 configuration tests 14 diagnostics 14 ip tools 14 traffic analysis 14 353 . 114 intrusion 114 outgoing 8 port forwarding 8 port forwards 67 comment 69 creating 68 criteria 67 destination address 69 destination port 69 editing 69 enabled 69 external ip 68 ips 69 logging 69 protocol 68 removing 69 source IP 69 source port 69 user defined 69 port groups 8 port rules 72 creating 73 deleting 75. 78 editing 75.Smoothwall Advanced Firewall Administrator’s Guide 1s t io n whois 14 hardware 14 failover 14 firmware upload 14 modem 14 ups 14 maintenance 13 archives 13 licenses 13 modules 13 scheduler 13 shutdown 13 updates 13 preferences 13 hostname 13 registration options 13 time 13 vpn 15 ca 15 certs 15 control 15 global 15 ipsec roadwarriors 15 ipsec subnets 15 l2tp roadwarriors 15 ssl roadwarriors 15 parent node 292 passwords 3 policies 11.

Index external access 273 external service 78 group bridging 63 internal alias 47 ip blocking 51 port 43 port forward 67 source 76 source mapping 46 subnet 39 zone bridging 59 S t n io R 1s radius action on login failure 200 cache timeout 200 identifying IP address 200 obtain groups from radius 200 port 200 secret 199 server 199 status 199 tenants 199 realtime 5 email 5. 127. 105 dns proxy 106 dynamic dns 107 ids 11 intrusion system 114 message censor 11 portal 9 rip 40 sip 96 snmp 11. 104 settings 6. 104 snmp 11 source mapping 8. 119 dns 11. 219 custom 5 database 224 reports 5 scheduled 5 reverse proxy 6. 10 violations alert 228 rip 7 routing 7 rules dynamic host 107 354 scheduled reports 5 scheduler 13 secondaries 8 secondary dns 20 selective ACK 54 services authentication 9. 96 types 96 site address 18 smoothrule violations 228 smoothtunnel vpn certificate monitor 228 snmp 11. 6 reboot 299 registration options 13 reports 5. 236 access 86 configure 81 delete 86 edit 86 groups 85 policy tester 83 user except 85 portals 9 ports 7. 8 ppp 8 ppp over ethernet settings 25 ppp profile creating 31 pptp client support 70 pptp over ethernet settings 26 preferences 13 prevention policies 115 primary dns 20 proxies 9 dns 106 sip 96 proxy ftp 99 . 193 dhcp 12. 9. 9 shutdown 13 signatures 11 sip 10. 46 source rules 76 sources 7 ssh 17 client 17 SSL 162 ssl login 9 accessing the page 210 customizing 209 exceptions 211 ssl roadwarriors 15 static ethernet settings 22 subnets 7 it Ed viewing 75 portal 5.

59 Ed TCP timestamps 54 telephony settings 32 temporary ban 206 temporary bans 9 tenants 275 time 13 time out 193 time slots 11 time-out 302 traffic analysis 14 graphs 5 traffic statistics monitor 228 training 1 tutorial vpn 178 zone bridging 61 U 1s t unauthenticated ips 216 unknown entity 18 updates 13 ups 14. 6 system boot (restart) notification 229 system resource monitor 228 system service monitoring 228 W web proxy 6. 127 authentication 128 psk 129 x509 129 355 . power supply status warning 228 url test tool 83 user activity 9. 9 white-list users 95 whois 14 window scaling 54 wpa enterprise 9. 208 identity 301 user exceptions 9 users banned 216 default 216 local 204 network administrators 216 temporary ban 206 unauthenticated IPs 216 V virtual lans 36 vlan 36 voip 96 vpn 15. 277 ups.Smoothwall Advanced Firewall Administrator’s Guide vpn tunnel status 228 SYN backlog queue 54 SYN cookies 54 SYN+FIN packets 53 system 5. 213 T Y yahoo 95 Z it io n zone bridge narrow 59 rule create 59 settings 60 tutorial 61 wide 59 zone bridging 7.

1s t Ed it io n Index 356 .

Smoothwall Advanced Firewall Administrator’s Guide 357 .